ODBC prepared statements in PHP

Question

I'm trying to use odbc_prepare and odbc_execute in PHP as follows:

$pstmt=odbc_prepare($odb_con,"select * from configured where param_name='?'");
$res=odbc_execute($pstmt,array('version'));
var_dump($res);  //bool(true)
$row = odbc_fetch_array($pstmt);
var_dump($row);  //bool(false)

The first var_dump returns true so the execute succeeds, but there is no row returned. A row does indeed exist with the param_name = 'version'. Why is no row returned?

To make things interesting, I ran another very simple example in php using a prepared insert.

$pstmt=odbc_prepare($odb_con,"insert into tmp1 values(?,'?')");

This line, by itself, inserted a row into the database!! Surely this is just wrong? The data entered was col 1 = blank, col 2 = ?

Any advice on where to start fixing this would be appreciated, thanks.

Edit: This is in PHP 5.2.8

What does `odbc_num_rows($res);` return? I want to confirm the fact that the query is indeed returning a non-empty result. `odbc_fetch_array()` could be returning false because there are no rows in the result set. Also, are any error messages appearing in your PHP error log? — Michael, May 09 '11 at 14:49
have you tried the solution I suggested? please give feedback — Jeremy S., May 11 '11 at 10:47
Unfortunately the new replies will have to wait until I have time to look at this particular problem again. I have been tasked with something else right now. — psx, May 11 '11 at 14:07
Just to update this question: I never found a solution to this. I just had to do without prepared statements. I suspect its the ODBC driver that's installed on the system I am developing for. Unfortuntaely this cannot be changed anytime soon. — psx, Dec 14 '11 at 07:34
this is an old post but how would you go it you wanted to loop around the results of your select statement? I am trying to do something similar — Erick, Apr 09 '15 at 15:54
Thank you for mentioning the ODBC driver, @psynnott I ran into the exact same problem and couldn't figure out what was wrong until I say you post that. It's a really unfortunate issue... — Muhammad Abdul-Rahim, Apr 20 '15 at 14:29

score 11 · Accepted Answer · answered Apr 22 '11 at 15:29

Try removing the single quotes from the query string and adding them to the parameter value itself:

$pstmt=odbc_prepare($odb_con,"select * from configured where param_name=?");
$res=odbc_execute($pstmt,array(" 'version'"));
var_dump($res);  //bool(true)
$row = odbc_fetch_array($pstmt);
var_dump($row);  //bool(false)

The single space character at the beginning of the parameter value is very important--if the space is not there, it will treat the variable as a path to a file.

From http://www.php.net/manual/en/function.odbc-execute.php:

If you wish to store a string which actually begins and ends with single quotes, you must add a space or other non-single-quote character to the beginning or end of the parameter, which will prevent the parameter from being taken as a file name.

Please **do** check out the docs on **odbc_execute**... it only returns boolean, true on successful query execution (whether the row is there or not) and false if the query fails. AND **odbc_exec** returns a resource. — Chris O, Mar 20 '17 at 19:18

score 5 · Answer 2 · edited Jun 20 '20 at 09:12

when I read this paragraph

Any parameters in parameter_array which start and end with single quotes will be taken as the name of a file to read and send to the database server as the data for the appropriate placeholder.

If you wish to store a string which actually begins and ends with single quotes, you must add a space or other non-single-quote character to the beginning or end of the parameter, which will prevent the parameter from being taken as a file name. If this is not an option, then you must use another mechanism to store the string, such as executing the query directly with odbc_exec()).

It seems to me that it isn't necessary to add single quotes ' to a string, only if you really want to have the quotes as text in the DB

Therefore if I only want to insert the text, without the single quotes I would write something like that ...

see this example from odbc-prepare

http://www.php.net/manual/en/function.odbc-prepare.php

Use this example for IBM DB/2:

$q = "update TABLE set PASS=? where NAME=?";
$res = odbc_prepare ($con, $q);

$a = "secret"; $b="user";
$exc = odbc_execute($res, array($a, $b));

This would result in the following statement

$pstmt=odbc_prepare($odb_con,"select * from configured where param_name=?");

$name = "version";
$params = array($name);

$res=odbc_execute($pstmt,$params);
var_dump($res);  //bool(true)

$row = odbc_fetch_array($pstmt);
var_dump($row);  //bool(false)

See that I not only removed the qoutes for the value in the params array but also removed the qoutes in the SQL statement.

please give feedback if this was right

score 3 · Answer 3 · answered May 09 '11 at 01:38

You should not enclose variables in quotes in a prepared statement:


$pstmt=odbc_prepare($odb_con,"select * from configured where param_name=?");
$res=odbc_execute($pstmt,array(" 'version'"));

should be:


$pstmt=odbc_prepare($odb_con,"select * from configured where param_name=?");
$res=odbc_execute($pstmt,array("version"));

Question marks represent parameter placeholders, the value passed is meant to represent an unescaped, unenclosed value, which will be properly escaped by the SQL interpreter.

Toby · Answer 4 · 2011-04-22T15:21:14.233

2

EDIT:

Gah, ignore me, misread php.net

odbc_fetch_array accepts as it's parameter the result of odbc_execute, you seem to be passing in the prepared statement.

edited Apr 22 '11 at 15:21

answered Apr 22 '11 at 15:12

Toby

8,483
13
45
68

Really? odbc_execute returns true or false surely? http://php.net/manual/en/function.odbc-execute.php – psx Apr 22 '11 at 15:14
No it doesn't. [`odbc_execute`](http://us2.php.net/manual/en/function.odbc-execute.php) returns a boolean status. The calls are correct. – ircmaxell Apr 22 '11 at 15:17
@psynnott -> I got that from http://uk.php.net/manual/en/function.odbc-fetch-array.php – Toby Apr 22 '11 at 15:18
@Toby that's the result from odbc_exec not odbc_execute :) – psx Apr 22 '11 at 15:20
@psynnott yeah just noticed that! d'oh! My apologies! – Toby Apr 22 '11 at 15:21

score 2 · Answer 5 · answered May 05 '11 at 10:26

2

What DBMS are you using? The fact that the lone insert prepare statement seems to be executed against the database rather than being prepared points to either a poor implementation of php (unlikely) or the DBMS not supporting prepared sql. If the latter is the case it is possible that their way of supporting the command with out the functionality is just to execute the statement leading to the results you get. If the DBMS does support prepared statements and the php implementation handles it properly there is some kind of issue with the insert being executed which also needs some investigation.

answered May 05 '11 at 10:26

MD-Tech

1,224
1
9
15

I forgot to also ask you what php interpreter you're using; I'm going to have a good look if there are any issues that could result in this as is seems like the function call is the problem and not your code – MD-Tech May 06 '11 at 14:14
Php 5.2.8 on linux fedora. Not entirely sure what you mean by which php interpreter – psx May 06 '11 at 22:15

score 2 · Answer 6 · answered May 05 '11 at 23:17

2

Did you try using double quotes? i.e.

$res=odbc_execute($pstmt,array("version"));

answered May 05 '11 at 23:17

Carl von Buelow

1,154
7
11

ODBC prepared statements in PHP

6 Answers6

Linked