1

I just started learning PHP today and am trying to write a few queries using prepared statements. so far I have this:

$query = "select * from users where 1 = ?";
$result = sqlsrv_query($connection,$query,array(1));
if($result === false){
echo "error";
}

while($row =  sqlsrv_fetch_array($result,SQLSRV_FETCH_ASSOC)){
print_r($row);
}

It produces the desired result (simply printing everything returned). I am struggling on making it a prepared query, to avoid SQL injection

Mureinik
  • 297,002
  • 52
  • 306
  • 350
PandaTurtle
  • 81
  • 5
  • @Akintunde OP is using [tag:sql-server], not [tag:mysql]. – Mureinik Jun 12 '17 at 05:44
  • 2
    Possible duplicate of [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Markus Jun 12 '17 at 07:25

1 Answers1

1

This already is a prepared query, where the third argument of sqlsrv_query is the array of variables you want to bind.

Mureinik
  • 297,002
  • 52
  • 306
  • 350