Are there any differences between SQL Server and MySQL when it comes to preventing SQL injection?

Question

I am used to developing in PHP/MySQL and have no experience developing with SQL Server. I\'ve skimmed over the PHP MSSQL documentation and it looks similar to MySQLi in some of

Answer 1

Stored procedures. That's it. Deny access to any other operation other than executing stored procedures. This way you only allow a certain set of requests to be made to your database, thus eliminating any form of SQL Injection.

Both support Stored Procedures, BUT, in MSSQL they are easier to debug, because error messages are much clearer.

Answer 2

Parameterized queries are the way to go. The sqlsrv driver supports parameterized queries. Of course, this will only be useful to you if you are running PHP on Windows. On the chance that you are, there's more information (with examples) here: How and Why to Use Parameterized Queries.

Answer 3

Any database can be subject to SQL injection attacks. One way to help avoid them is to use Stored Procedures. Both MSSQL & MYSQL support stored procedures.