PHP PDO Prevent SQL Injection for MS SQL Server

Asked Jan 07 '22 at 15:55

Active Jan 07 '22 at 15:56

Viewed 26 times

I see so many different people saying to do different things. Is what I have enough for preventing SQL Injection into an MS SQL database? (not My SQL)

  <?php

    $id = $_POST['id']; 

    $pdo = new PDO("sqlsrv:Server=" . $DB_HOST . "," . $DB_PORT . ";Database=" . $DB_DATABASE . " ",$DB_USERNAME ,$DB_PASSWORD);
    $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    $sql = "SELECT * FROM mytable WHERE mytable_id = :id";   
    $result = $pdo->prepare($sql);
    $result->execute(['id'=>$id]);

  ?>

edited Jan 07 '22 at 15:56

jarlh

40,041
8
39
58

asked Jan 07 '22 at 15:55

Nathan Stanford

1,296
3
20
36

1

`saying to do different things` ...such as what, specifically? Prepared statements and parameters are the only reliable way to prevent SQL injection. – ADyson Jan 07 '22 at 16:01

PHP PDO Prevent SQL Injection for MS SQL Server

0 Answers0