CODEWITHSUNDEEP
phpsql-server
cezarlamann
cezarlamann

Reputation: 1523

PHP SQLSRV: Does sqlsrv_query() works to prepare a select statement, right way?

TL:DR

Does sqlsrv_query() do the same job for select statements than sqlsrv_prepare() and sqlsrv_execute() do, regarding prepared statements?

How could I do a safe select statement?

A little history

I'm a newbie regarding PHP development, and I got an old (non-OO) PHP application to maintain and refactor all those spaghetti codes. In fact, I made a Repository and a Service abstraction, to put a little of Object Orientation inside the project in a separated area, without messing with what is working nowadays.

I've made this abstraction considering a future PDO inclusion. Today i'm just refactoring code by steps. Doctrine and other ORMs are not an option for today (Project Manager decision, unfortunately... Not my fault).

Well, we are using sqlsrv driver here, and I've seen how to prepare and execute a statement for an insert or update operations. The question is: How could I prepare a select statement for execution (helping prevent 1st order injection attacks), similarly I do with sqlsrv_prepare() and sqlsrv_execute()?

Configs: PHP 5.3, Sql Server.

Thank you in advance!

Upvotes: 3

Views: 3846

Answers (1)

Machavity
Machavity

Reputation: 31654

They are different.

http://php.net/manual/en/function.sqlsrv-prepare.php

Prepares a query for execution

http://php.net/manual/en/function.sqlsrv-query.php

Prepares and executes a query.

In prepared statements you send the query and parameters separately. As such, you need two separate calls (with sqlsrv_execute providing the other end of that duo).

sqlsrv_query() simply sends the SQL for immediate execution. It does NOT support prepared statements so you will have to have sanitized data included inline.

Upvotes: 2

Related Questions