PHP SQLSRV: Does sqlsrv_query() works to prepare a select statement, right way?
Question
TL:DR
Does sqlsrv_query() do the same job for select statements than sqlsrv_prepare() and sqlsrv_execute() do, regarding prepared statements?
How could I do a safe select statement?
A little history
I'm a newbie regarding PHP development, and I got an old (non-OO) PHP application to maintain and refactor all those spaghetti codes. In fact, I made a Repository and a Service abstraction, to put a little of Object Orientation inside the project in a separated area, without messing with what is working nowadays.
I've made this abstraction considering a future PDO inclusion. Today i'm just refactoring code by steps. Doctrine and other ORMs are not an option for today (Project Manager decision, unfortunately... Not my fault).
Well, we are using sqlsrv driver here, and I've seen how to prepare and execute a statement for an insert or update operations. The question is: How could I prepare a select statement for execution (helping prevent 1st order injection attacks), similarly I do with sqlsrv_prepare() and sqlsrv_execute() ?
Configs: PHP 5.3, Sql Server.
Thank you in advance!
1 answers
solution1
1 ACCPTED 2015-11-20 20:51:26
They are different.
http://php.net/manual/en/function.sqlsrv-prepare.php
Prepares a query for execution
http://php.net/manual/en/function.sqlsrv-query.php
Prepares and executes a query .
In prepared statements you send the query and parameters separately. As such, you need two separate calls (with sqlsrv_execute providing the other end of that duo).
sqlsrv_query() simply sends the SQL for immediate execution. It does NOT support prepared statements so you will have to have sanitized data included inline.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.