replacing sql server query to secure PDO query

Question

I try replace my non secure query to PDO (prevent SQL injection) but i not trust my self what are im doing. I have db connection file:

<?php
$serverName ="db_name\SQLEXPRESS";
 $usr="sa";
 $pwd="SysAdmin1";
 $db="DB"; 
$connectionInfo = array("UID" => $usr, "PWD" => $pwd, "Database" => $db);
$conn = sqlsrv_connect($serverName, $connectionInfo);
?>

and my file with query:

require_once 'db_file.php';
$place=$_POST['place'];
$name=$_POST['name'];
$sql_user = "SELECT * FROM users WHERE name='$name' and place= '$place' ";
$res = sqlsrv_query($conn,$sql_user);
$row = sqlsrv_fetch_array($res);

It work fine but not secure. I try replace to :

$sql_user = $conn -> prepare ("SELECT * FROM users WHERE name = :name and place = :place");  
$sql_user -> execute (array(':name => '$name' ,  :place => '$place''));
$row = $sql_user -> fetch();

I have error Parse error: syntax error, unexpected T_VARIABLE, expecting ')'. I read many post about that but not shore im doing good way or no? Because sometimes variables in query is :name sometimes only ?

Answer 1

This works for me:

# connect
try{
    //$pdo = new PDO("sqlsrv:Server=$hostname;Database=$dbname;", $username, $password);  // works with proper driver for PHP.
    $pdo = new PDO("odbc:Driver={SQL Server};Server=$hostname;Database=$dbname;", $username, $password);  // works with proper driver for ODBC and PHP ODBC.
    $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    ini_set('mssql.charset', 'UTF-8');  // allow Chinese names.
}catch(PDOException $e){
    die("Error connecting to $hostname SQL: ".$e->getMessage());
}

# read
$sql = "SELECT name FROM employees ORDER BY 1";
$stmt = $pdo->prepare($sql);
$stmt->execute();
while($row = $stmt->fetch()){
    echo $row[1]."<br>";
}

# write
try{
    $sql = "INSERT INTO employees(name)
            VALUES (:name)";
    $stmt = $pdo->prepare($sql);
    $stmt->bindValue(':name', $new_employee);
    $stmt->execute();
}catch(PDOException $e){
    echo "Could not add employee $new_employee!";
}

More tutorials