问题
i am making a website with a search function with a database that runs SQL server. Thus, I decided to use sqlsrv functions to use the database. As I want to sanitize my php code against SQL Injection attacks, i decided to use the sqlsrv_prepare function, as suggested by a fellow stackoverflower.My problem is that I can't wrap my head around the function. This is my php code that i made using the example and notes from php.net.
<?php
$search = $_POST["search"];
$search = "%$search%";
$sql = "SELECT table1.column1, table1.column2, table1.column3, table2.column1, table2.column2
FROM table1
INNER JOIN table2 ON table1.column1 = table2.column3
WHERE column1 LIKE ?
ORDER BY den_produs ASC";
$params= array(&$search);
var_dump($sql, $params);
$stmt = sqlsrv_prepare($conn, $sql, $params);
if( !$stmt ) {
die( print_r( sqlsrv_errors(), true));
}
while( $row = sqlsrv_fetch_array( $stmt, SQLSRV_FETCH_ASSOC) ) {
if (sqlsrv_execute($stmt)) {
echo $row['column1']."--> ".$row['column2']."--> ".$row['column3']."|| ".$row['column1'].$row['column2']."<br />";
}
}
?>
Basically, I have a database with products(since it is an eCommerce website) and i want to search for product's names. The SQL code works(the column and tables names have been put generically since they have weird names and are long and unnecessary), since i have tested it while searching directly with the $search variable(which is not safe, of course). Thank you for your time!
EDIT: If i delete the WHERE clause, i get the same result, even if i only delete the fist part or both. The output of of var_dump is:
enter cstring(425) "SELECT table1.column1, table1.column2, table1.column3,table2.column1,table2.column2 FROM table1 INNER JOINtable2 ON table1.column1 =table2.column3 WHERE column4 = 'value given by me' AND column1 LIKE ? ORDER BY column1 ASC" array(2) { [0]=> &string(12) "%searchtest%" [1]=> int(4) }
回答1:
After some more digging, i found a post on a microsoft forum, giving a better example. The issue was that, after preparing the parameters, i wasn't executing the sql code, as i supposed to when using paramaters. I have also stopped using a variable for calling the array.Here is the working code:
<?php
$search = $_POST["search"];
$search = "%$search%";
$sql = "SELECT table1.column1, table1.column2, table1.column3, table2.column1, table2.column2
FROM table1
INNER JOIN table2 ON table1.column1 = table2.column3
WHERE column1 LIKE ?
ORDER BY den_produs ASC";
$stmt = sqlsrv_prepare($conn, $sql, array($search));
if( !$stmt ) {
die( print_r( sqlsrv_errors(), true));
}
sqlsrv_execute($stmt);
if(sqlsrv_execute($stmt)){
while($row = sqlsrv_fetch_array( $stmt, SQLSRV_FETCH_ASSOC)){
echo $row['column1']."--> ".$row['column2']."--> ".$row['column3']."|| ".$row['column1'].$row['column2']."
";
}
}else{
die( print_r( sqlsrv_errors(), true));
}
?>
If someone has an actual explanation regarding the issue, i would be more than happy to put it as the approved answer since i don't know a lot of php and sqlsrv.
来源:https://stackoverflow.com/questions/50177094/how-to-use-sqlsrv-prepare-function