在PHP中使用params调用SQL Server存储过程

这是我在这里的第一篇文章,也是PHP的初学者,所以请轻描淡写!! </ p>

我正在使用PHP 5.3和SQL Server 2012 express </ p>

我的问题是从PHP执行一个SQL服务器存储过程,其中包含参数值来自$的参数 来自HTML表单的_POST变量。</ p>

我的PHP代码如下:</ p>

 &lt;?php 
require_once(“.. /includes/initialize.php");
//
global $ database;

$ username =“someone”;
$ params = array($ username);

$ conn = $ database-&gt; connection;

$ admin_set = sqlsrv_query($ conn,“{call find_admin_by_username_p}”,$ params);

if($ admin = $ database-&gt; fetch_array($ admin_set)){
var_dump($ admin);
} else {
return null;
}
//
/ *此工作原理
global $ database;

$ admin_set = $ database-&gt; query(“{find find_admin_by_username}”);
if($ admin = $ database-&gt; fetch_array($ admin_set)){
var_dump ($ admin);
} else {
返回null;
}

  • /
    ?>&gt;
    </ code> </ pre>

    存储过程的代码 是:</ p>

      CREATE PROCEDURE [dbo]。[find_admin_by_username_p] 
    @ username nvarchar(55)
    AS
    BEGIN
    SELECT * FROM dbo.users
    WHERE username = @username
    END
    </ code> </ pre>

    对于注释“THIS WORKS”部分,过程find_admin_by_username有效,因为它不包含任何参数。 但是我希望将@username作为$ _POST表单字段提供的变量。</ p>

    我这样做的主要原因是为了帮助防止SQL注入,我也会逃避 一旦连接到表单的值。</ p>

    这是我到目前为止看到的很多信息的链接</ p>

    http:// blogs .msdn.com / b / brian_swan / archive / 2011/02/16 / do-stored-procedures-protect-against-sql-injection.aspx </ p>

    我也有 通过许多其他博客搜索,但似乎找不到任何有用的东西。</ p>

    请帮助!</ p>
    </ div>

展开原文

原文

this is my 1st post here and as a beginner in PHP so please tread lightly!!

I am using PHP 5.3 and SQL Server 2012 express

My problem is executing an SQL server stored procedure from PHP that has parameters where the value of the parameter comes from a $_POST variable from an HTML form.

My PHP code is as follows:

    <?php
    require_once("../includes/initialize.php");
    //
    global $database;


    $username = "someone";
    $params = array($username); 
    $conn = $database->connection;

    $admin_set = sqlsrv_query($conn, "{call find_admin_by_username_p}", $params); 
    if($admin = $database->fetch_array($admin_set)) {
        var_dump($admin);
    } else {
        return null;
    }
    //
    /* THIS WORKS
    global $database;

    $admin_set = $database->query("{call find_admin_by_username}");
    if($admin = $database->fetch_array($admin_set)) {
        var_dump($admin);
      } else {
        return null;
    }
    */
    ?>

The code for the stored procedure is:

    CREATE PROCEDURE [dbo].[find_admin_by_username_p]
@username nvarchar(55)
    AS
    BEGIN
SELECT * FROM dbo.users
WHERE username = @username
    END

For the commented "THIS WORKS" section the procedure find_admin_by_username works as this doesn't contain any parameters. However I want to have the @username as a variable that is provided by a $_POST form field.

My main reason for doing this is to help prevent SQL injection, also I would be escaping the values once connected to the form.

This is a link to a lot of the info I have looked at so far

http://blogs.msdn.com/b/brian_swan/archive/2011/02/16/do-stored-procedures-protect-against-sql-injection.aspx

I have also searched through many other blogs but don't seem to be able to find anything that works.

Please help!

php
duanganleng0577
duanganleng0577 您可以在下面回答您自己的问题
大约 7 年之前 回复
dpstir0081
dpstir0081 $admin_set=sqlsrv_query($conn,“{callfind_admin_by_username_p(?)}”,$params);
大约 7 年之前 回复
dongrang9300
dongrang9300 toolong
大约 7 年之前 回复
Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问