Reputation: 7487
Sanitization against SQL Injection for Input going into an Oracle database
Hello I have been working for a while with PHP and MySQL. Now I am working in a PHP-Informix and PHP-Oracle environment. I have always used mysql_real_escape_string for the data going into the database. I am presently working on Informix and Oracle database servers, and am unaware of any escape functions for databases which are to be connected through drivers such as OCI8 or odbc.
Could anybody explain a little about the security measures for these databases.
Upvotes: 2
Views: 4273
Answers (2)
Reputation: 2711
Yes, Oracle has bind variables that automatically take care of preventing sql injection. Neat, huh? :) Adam Hawkes uses the PDO library. I personally use oci8 with the oci_bind_by_name function.
Upvotes: 3
Reputation:
Don't do sanitization unless you are doing VERY dynamic queries. Parameterized queries are the right way to go. Here's the PHP Documentation which describes how to do this.
Upvotes: 6
Related Questions
- anti sql-injection in magento
- Is this safe against SQL injection?
- What is the way with PHP to sanitize user input for SQL DDL statement?
- Secure Form insert in database php
- Effective protection function against SQL injection
- SQL injection in oracle with sanitized input
- PHP -- automatic SQL injection protection?
- Protect against SQL injection
- How to sanitize data in php in order to avoid SQL injection?
- Sanitize user input destined for database in PHP