troubleshooting Question
Parameterised queries
I have a query which is created depending on which variables are submitted via a form, an easy example might be:
//start the query
$sql= "select tblaccounts.companyid
,tblaccounts.accountno
,tblmembers.memberno
,tblcards.cardno
from tblaccounts
WHERE tblmembers.companyid = '$companyid' ";
//build where clauses based on the existence of some variables
if (strlen($firstname)>0){
$sql.= " and tblmembers.firstname = '$firstname' ";}
if (strlen($surname)>0){
$sql.= " and tblmembers.surname = '$surname' ";}
if (strlen($postcode)>0){
$sql.= " and tblaccounts.postcode = '$postcode' "; }
// complete the query
$sql.= " and (tblcards.primarycard = 'primary') order by surname, firstname, postcode";
//pass the parameters
$params=array($companyid, $firstname, $surname, $postcode);
//run the query
$result=sqlsrv_query($conn
At the moment I can only run the query using the proper variables, not the ? parameters as the parameter array will change depending on the variables required.
This me open to sql injections and problems with apostrophes etc within variable etc
Is there a way that I can use an associative array to store the possible varaibles and call them within the sql?
I am coding in php 5.6, using mssql on a windows server.
//start the query
$sql= "select tblaccounts.companyid
,tblaccounts.accountno
,tblmembers.memberno
,tblcards.cardno
from tblaccounts
WHERE tblmembers.companyid = '$companyid' ";
//build where clauses based on the existence of some variables
if (strlen($firstname)>0){
$sql.= " and tblmembers.firstname = '$firstname' ";}
if (strlen($surname)>0){
$sql.= " and tblmembers.surname = '$surname' ";}
if (strlen($postcode)>0){
$sql.= " and tblaccounts.postcode = '$postcode' "; }
// complete the query
$sql.= " and (tblcards.primarycard = 'primary') order by surname, firstname, postcode";
//pass the parameters
$params=array($companyid, $firstname, $surname, $postcode);
//run the query
$result=sqlsrv_query($conn
At the moment I can only run the query using the proper variables, not the ? parameters as the parameter array will change depending on the variables required.
This me open to sql injections and problems with apostrophes etc within variable etc
Is there a way that I can use an associative array to store the possible varaibles and call them within the sql?
I am coding in php 5.6, using mssql on a windows server.
Learn from the best
Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.
Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 4 Comments.
Try for 7 days”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.
Our community of experts have been thoroughly vetted for their expertise and industry experience.
The Fellow title is reserved for select members who demonstrate sustained contributions, industry leadership, and outstanding performance. We will announce the experts being inducted into the Experts Exchange Fellowship during the annual Expert Awards, but unlike other awards, Fellow is a lifelong status. This title may not be given every year if there are no obvious candidates.
The Most Valuable Expert award recognizes technology experts who passionately share their knowledge with the community, demonstrate the core values of this platform, and go the extra mile in all aspects of their contributions. This award is based off of nominations by EE users and experts. Multiple MVEs may be awarded each year.