this is my 1st post here and as a beginner in PHP so please tread lightly!!
I am using PHP 5.3 and SQL Server 2012 express
My problem is executing an SQL server stored procedure from PHP that has parameters where the value of the parameter comes from a $_POST variable from an HTML form.
My PHP code is as follows:
<?php
require_once("../includes/initialize.php");
//
global $database;
$username = "someone";
$params = array($username);
$conn = $database->connection;
$admin_set = sqlsrv_query($conn, "{call find_admin_by_username_p}", $params);
if($admin = $database->fetch_array($admin_set)) {
var_dump($admin);
} else {
return null;
}
//
/* THIS WORKS
global $database;
$admin_set = $database->query("{call find_admin_by_username}");
if($admin = $database->fetch_array($admin_set)) {
var_dump($admin);
} else {
return null;
}
*/
?>
The code for the stored procedure is:
CREATE PROCEDURE [dbo].[find_admin_by_username_p]
@username nvarchar(55)
AS
BEGIN
SELECT * FROM dbo.users
WHERE username = @username
END
For the commented "THIS WORKS" section the procedure find_admin_by_username works as this doesn't contain any parameters. However I want to have the @username as a variable that is provided by a $_POST form field.
My main reason for doing this is to help prevent SQL injection, also I would be escaping the values once connected to the form.
This is a link to a lot of the info I have looked at so far
I have also searched through many other blogs but don't seem to be able to find anything that works.
Please help!
