CODEWITHSUNDEEP
phpinsertsqlsrv
jRogers
jRogers

Reputation: 37

How to insert data to sql using SQLSRV Prepared statement

I have tried everything to get this code work and i am really stuck. As far as i can see everything is as it should be. I could be missing something really easy but i cannot find it. Any help would be appreciated. 

session_start();
date_default_timezone_set('europe/london');
ini_set('display_errors', 1); error_reporting(-1);

require 'connect.php';
if(isset($_POST['submit'])){


    $cutdate = $_POST['start_date'];
    $split = explode(" ",$cutdate); 
    $dateformat = $split[0];
    $date = str_replace("/", "-", $dateformat);
    $dayofweek = date_format(new DateTime($date),'l');
    $monthofyear = date_format(new DateTime($date),'F');
    $yearof = date_format(new DateTime($date),'Y');
    $weekcommencingform = Date('d-m-Y', strtotime('monday this week', strtotime($date)));
    $weekcommencing = str_replace("-", "/", $weekcommencingform);

    $inc = $_POST['inc'];
    $status = 'Open';
    $start = $_POST['start_date'];
    $incday = $dayofweek;
    $incweek = $weekcommencing;
    $incmonth = $monthofyear;
    $incyear = $yearof;
    $channel = $_POST['channel'];
    $journey = $_POST['journey'];
    $application = $_POST['application'];
    $category = $_POST['category'];
    $priority = $_POST['priority'];
    $description = $_POST['description'];
    $opened_by = $_SESSION["user"];

    $sql = "INSERT INTO [dbo].[incidents] 
                        (inc, status, act_start_date, start_date, 
                        inc_day, inc_week, inc_month, inc_year, 
                        opened_by, priority, system, category, 
                        channel, journey, description) 
                VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";

    $params = array( &$inc, &$status, &$start, &$start, 
                    &$incday, &$incweek, &$incmonth, &$incyear, 
                    &$opened_by, &$priority, &$application, &$category, 
                    &$channel, &$journey, &$description);

    $stmt = sqlsrv_query($con, $sql, $params);

if ($stmt) {  
    echo "Row successfully inserted";  
} else {  
    echo "Row insertion failed";  
    die(print_r(sqlsrv_errors(), true));  
}

Upvotes: 0

Views: 3408

Answers (1)

Cemal
Cemal

Reputation: 1579

The function sqlsrv_query doesn't prepare, it simply sends the SQL for immediate execution. It does NOT support prepared statements so you will have to have sanitized data included inline. To use prepared statements you have to fix your code and change 

$stmt = sqlsrv_query($con, $sql, $params);
if ($stmt) {  
    echo "Row successfully inserted";  
} else {  
    echo "Row insertion failed";  
    die(print_r(sqlsrv_errors(), true));  
}

to 

$stmt = sqlsrv_prepare($con, $sql, $params);
if (sqlsrv_execute( $stmt ) === false) {
    echo "Row insertion failed";  
    die(print_r(sqlsrv_errors(), true)); 
} else echo "Row successfully inserted";

Here is documentation for sqlsrv_query and sqlsrv_prepare

Upvotes: 2

Related Questions