1

I have a query which is run against a mssql database and I'm not using PDO drivers. Is there something like prepared statement i can use?

Here is the query:

$tsql = "INSERT INTO cplinktable (liferayid, bmsid, autotaskid, waspdb, cpid) VALUES ($liferayid, $bmsid, $autotaskid, '$waspdb', $cpid)";

thanks,

Jonesy

webbiedave
  • 47,388
  • 8
  • 87
  • 99
iamjonesy
  • 23,902
  • 39
  • 133
  • 206
  • 2
    You may find [this previous answer](http://stackoverflow.com/questions/574805/how-to-escape-strings-in-mssql-using-php) helpful. – Matt Gibson Oct 20 '10 at 15:08

5 Answers5

2

The Microsoft SQL Driver for PHP provides prepared statements:

Álvaro González
  • 135,557
  • 38
  • 250
  • 339
0

You should at least escape the values.

PHP Manual - mysql_real_escape_string

Mr Griever
  • 3,974
  • 3
  • 21
  • 41
0
$query = sprintf("INSERT INTO cplinktable (liferayid, bmsid, autotaskid, waspdb, cpid) VALUES ('%s','%s','%s','%s','%s')",
            mysql_real_escape_string($liferavid),
            mysql_real_escape_string($bmsid),
            mysql_real_escape_string($autotaskid),
            mysql_real_escape_string($waspdb),
            mysql_real_escape_string($cpid));
Eton B.
  • 5,813
  • 5
  • 29
  • 43
0

its as simple as useing mysql_real_escape on strings and typecasting on digits / ints / doubles

(int)$number; //Safe
(double)$double; //Safe
mysql_real_escape_string($string); //Safe

This used on every piece of data you insert into your database will be safe

RobertPitt
  • 55,891
  • 21
  • 113
  • 158
-3

Try Prepare Statements with sprint()

$tsql = "INSERT INTO cplinktable (liferayid, bmsid, autotaskid, waspdb, cpid) VALUES (%d, %d, %d, '%s', %d)";

$tsql = sprintf($tsql, $liferayid, $bmsid, $autotaskid, $waspdb, $cpid);
echo $tsql; // you would execute this but printing to the screen to show the query
Phill Pafford
  • 80,991
  • 89
  • 259
  • 379