1

I have a query which is run against a mssql database and I'm not using PDO drivers. Is there something like prepared statement i can use?

Here is the query:

$tsql = "INSERT INTO cplinktable (liferayid, bmsid, autotaskid, waspdb, cpid) VALUES ($liferayid, $bmsid, $autotaskid, '$waspdb', $cpid)";

thanks,

Jonesy

webbiedave
  • 48,414
  • 8
  • 88
  • 101
iamjonesy
  • 24,732
  • 40
  • 139
  • 206
  • 2
    You may find [this previous answer](http://stackoverflow.com/questions/574805/how-to-escape-strings-in-mssql-using-php) helpful. – Matt Gibson Oct 20 '10 at 15:08

5 Answers5

2

The Microsoft SQL Driver for PHP provides prepared statements:

Álvaro González
  • 142,137
  • 41
  • 261
  • 360
0

You should at least escape the values.

PHP Manual - mysql_real_escape_string

Mr Griever
  • 4,014
  • 3
  • 23
  • 41
0
$query = sprintf("INSERT INTO cplinktable (liferayid, bmsid, autotaskid, waspdb, cpid) VALUES ('%s','%s','%s','%s','%s')",
            mysql_real_escape_string($liferavid),
            mysql_real_escape_string($bmsid),
            mysql_real_escape_string($autotaskid),
            mysql_real_escape_string($waspdb),
            mysql_real_escape_string($cpid));
Eton B.
  • 6,121
  • 5
  • 31
  • 43
0

its as simple as useing mysql_real_escape on strings and typecasting on digits / ints / doubles

(int)$number; //Safe
(double)$double; //Safe
mysql_real_escape_string($string); //Safe

This used on every piece of data you insert into your database will be safe

RobertPitt
  • 56,863
  • 21
  • 114
  • 161
-3

Try Prepare Statements with sprint()

$tsql = "INSERT INTO cplinktable (liferayid, bmsid, autotaskid, waspdb, cpid) VALUES (%d, %d, %d, '%s', %d)";

$tsql = sprintf($tsql, $liferayid, $bmsid, $autotaskid, $waspdb, $cpid);
echo $tsql; // you would execute this but printing to the screen to show the query
Phill Pafford
  • 83,471
  • 91
  • 263
  • 383