Prevent SQL injection in PHP [duplicate]

This question already has answers here: Closed 11 years ago.

Possible Duplicate:

How to开发者_如何转开发 escape strings in MSSQL using PHP?

I am making a system and I need to prevent SQL injection. I'm using PHP and SQL Server 2008 R2. Basically what I'm wondering is if I can just use:

mysql_real_escape_string

or is there a specific one for SQL Server. Any feedback appreciated.

---

I would suggest start using PDO. this way you could use parametrized query which will take care of almost everything for you including SQL injection plus it supports a very large RDBMS including MSSQL.

Here are some of the topic to get you started.

http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/

http://www.php.net/manual/en/book.pdo.php

---

I have a calss I built for my project, maybe it can help you out

    <?php

    class clean
    {
        public static function stripJS($input)
        {
            return preg_replace('/<script\b[^>]*>(.*?)<\/script>/is', "", $input);
        }

        public static function email($input)
        {
            return clean::stripJS(filter_var($input, FILTER_SANITIZE_EMAIL));
        }

        public static function noTags($input)
        {
            return strip_tags(clean::stripJs($input));
        }

        public static function dbIN($input)
        {
            return mysql_real_escape_string(self::stripJS($input));
        }

        public static function dbOUT($input)
        {
            return stripslashes($input);
        }
    }

$input = clean::dbIN($input);

    ?>

---

You can't use the mysql specific escape function.

Use something that deals in bound parameters.