{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 不美不萌又怎样 的问题《How to execute a stored procedure in php using sql》','https://www.manongdao.com/q-1179590.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I've looked over several other questions that seem (from the titles) the same as this. However, my case is a bit different.
The following works (i.e. I get "success" and my database performs what I expect when running the procedure with the given variables):
$sql = "MyDB.dbo.myProcedure {$var1}, {$var2}, {$var3}";
$result = sqlsrv_query($myConn, $sql);
if (!$result) {
echo 'Your code is fail.';
}
else {
echo 'Success!';
}
I want to avoid (or lessen the possibility of) SQL injection by creating the SQL string using parameters. For example:
$sql = "select * from aTable where col1 = ? AND col2 = ?";
$result = sqlsrv_query($myConn, $sql, array($var1, $var2));
//please note. This code WILL work!
But when I do that with a stored procedure it fails. It fails with no errors reported via sqlsrv_errors(), no action taken in database, and $result === false.
To be clear, the following fails:
$sql = "MyDB.dbo.myProcedure ?, ?, ?";
$result = sqlsrv_query($myConn, $sql, array($var1, $var2, $var3));
Likewise a prepare/execute statement created the same way will also fail:
$sql = "MyDB.dbo.myProcedure ?, ?, ?";
$stmt = sqlsrv_prepare($myConn, $sql, array(&$var1, &$var2, &$var3));
foreach($someArray as $key => $var3) {
if(sqlsrv_execute($stmt) === false) {
echo 'mucho fail.';
}
}
//this code also fails.
For completeness, I have confirmed that the stored procedure in question works directly within SQL Management Studio AND if called the way I mentioned above. Likewise, I have confirmed that I can use parameterized queries for any raw query (like an insert, select, update vs a stored procedure).
So, my question is how can I call a stored procedure using the parameterized query vs embedding the variables in the query string?
More importantly, I am actually wanting to use a prepare/execute, so hopefully the answer will allow this to work as well.
This is a follow up to the answer by @chris85.
It's worth noting here that once the statement is prepared, you need to execute it:
sqlsrv_execute()only returns true/false. If you want to parse the data returned by the stored procedure you can process it just like the result fromsqlsrv_query().If you forget the
sqlsrv_execute()you'll get an error saying that the result has to be executed before it can be used.Make sure you set this or you will always get errors returned if the stored procedure has messages being returned.
The user contributions on the php.net have a write up on how to execute a stored procedure using the sqlsrv-prepare.
In case that is removed from the php.net user contributions in the future here is what it had(has) listed:
Here's the manual's page, http://php.net/manual/en/function.sqlsrv-prepare.php