Sunday, May 1, 2011

Is there a way to do parameterized queries in PHP 4 when using a MSSQL database?

I am doing some maintenance work on an older system that is running PHP 4 and talks to a MS SQL2000 database via FreeTDS. I know, it already sounds somewhat scary!

A lot of the code used unsafe string-concatenation for generating SQL queries. I have done some work to try and filter the input to make things safer but it is giving me a headache.

I am wondering if there is a something out there that will allow my to do proper parameterized queries given my current setup? At this point I am unable to change the versions of PHP or MSSQL.

From stackoverflow
  • Use a database abstraction layer like MDB2 that provides them.

    Wally Lawless : That appears to be a good option that I had looked into before, although I couldn't find a reference that MDB2 would work with PHP4. Do you know if that is the case?
    ceejayoz : I believe so, yes.
  • If your primary interest in parameterized queries is SQL Injection safety, I'd look for a database abstraction layer that provides the functionality for you and is written in pure PHP. I've used ADOdb and it's a decent option, and it looks like they still have an older PHP4 version available for download.

    The only caveat to this is the abstraction layer may not do "proper" parameterized queries with you database. In other words, they may have implemented their own parameterizing engine, and then send off full SQL strings to the database. This is important with MS SQL Server, as "proper" parameterized queries can bring a significant performance increases.

    Wally Lawless : Took awhile to investigate, but ADOdb seems to be working well. Thanks for the advice!

0 comments:

Post a Comment