tags:

views:

452

answers:

2
+1  Q: 

Is there a way to do parameterized queries in PHP 4 when using a MSSQL database?

I am doing some maintenance work on an older system that is running PHP 4 and talks to a MS SQL2000 database via FreeTDS. I know, it already sounds somewhat scary!

A lot of the code used unsafe string-concatenation for generating SQL queries. I have done some work to try and filter the input to make things safer but it is giving me a headache.

I am wondering if there is a something out there that will allow my to do proper parameterized queries given my current setup? At this point I am unable to change the versions of PHP or MSSQL.

+1  A: 

Use a database abstraction layer like MDB2 that provides them.

ceejayoz  2009-04-23 20:15:00
That appears to be a good option that I had looked into before, although I couldn't find a reference that MDB2 would work with PHP4. Do you know if that is the case?
Wally Lawless  2009-04-23 20:55:21
I believe so, yes.
ceejayoz  2009-04-24 21:15:58
+1  A: 

If your primary interest in parameterized queries is SQL Injection safety, I'd look for a database abstraction layer that provides the functionality for you and is written in pure PHP. I've used ADOdb and it's a decent option, and it looks like they still have an older PHP4 version available for download.

The only caveat to this is the abstraction layer may not do "proper" parameterized queries with you database. In other words, they may have implemented their own parameterizing engine, and then send off full SQL strings to the database. This is important with MS SQL Server, as "proper" parameterized queries can bring a significant performance increases.

Alan Storm  2009-04-23 22:14:52
Took awhile to investigate, but ADOdb seems to be working well. Thanks for the advice!
Wally Lawless  2009-11-02 16:57:28

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases