Delicious Bookmark this on Delicious Share on Facebook SlashdotSlashdot It! Digg! Digg



PHP : Function Reference : ODBC Functions (Unified) : odbc_prepare

odbc_prepare

Prepares a statement for execution (PHP 4, PHP 5)
resource odbc_prepare ( resource connection_id, string query_string )

Returns FALSE on error.

Returns an ODBC result identifier if the SQL command was prepared successfully. The result identifier can be used later to execute the statement with odbc_execute().

Some databases (such as IBM DB2, MS SQL Server, and Oracle) support stored procedures that accept parameters of type IN, INOUT, and OUT as defined by the ODBC specification. However, the Unified ODBC driver currently only supports parameters of type IN to stored procedures.

In the following code, $res will only be valid if all three parameters to myproc are IN parameters:

<?php
$a
= 1;
$b = 2;
$c = 3;
$stmt = odbc_prepare($conn, 'CALL myproc(?,?,?)');
$res = odbc_execute($stmt, array($a, $b, $c));
?>

If you need to call a stored procedure using INOUT or OUT parameters, the recommended workaround is to use a native extension for your database (for example, mssql for MS SQL Server, or oci8 for Oracle).

Examples ( Source code ) odbc_prepare

A determined attacker will easily jump through whatever string-escaping hoops you can devise. 
A better way to protect yourself against SQL injection is to bind your parameters, which requires
 calling odbc_prepare() and odbc_execute():

<?php
$emp_id 
$_GET['emp_id'];
$stmt odbc_prepare($db_conn"SELECT pwd FROM employees WHERE emp_id=?");
$res odbc_execute($stmt, array($emp_id));
?>

Code Examples / Notes » odbc_prepare

marek

Use this example for IBM DB/2:
$q = "update TABLE set PASS=? where NAME=?";
$res = odbc_prepare ($con, $q);
$a = "secret"; $b="user";
$exc = odbc_execute($res, array($a, $b));


ron

odbc_exec() returns BOOLEAN if the query doesn't return a result set.
If the query returns a result set, odbc_exec() returns a resource to that result set.


bslorence

Is it just me or is the code above misleading? It makes it look like odbc_execute() returns a resource suitable, say, for passing to one of the odbc_fetch_* functions.
In fact, odbc_execute() returns a boolean, which simply indicates success (TRUE) or failure (FALSE). The variable to pass to odbc_fetch_* is the same one that you pass to odbc_execute():
<?php
$res = odbc_prepare($db_conn, $query_string);
if(!$res) die("could not prepare statement ".$query_string);
if(odbc_execute($res, $parameters)) {
   $row = odbc_fetch_array($res);
} else {
   // handle error
}
?>


Change Language


Follow Navioo On Twitter
odbc_autocommit
odbc_binmode
odbc_close_all
odbc_close
odbc_columnprivileges
odbc_columns
odbc_commit
odbc_connect
odbc_cursor
odbc_data_source
odbc_do
odbc_error
odbc_errormsg
odbc_exec
odbc_execute
odbc_fetch_array
odbc_fetch_into
odbc_fetch_object
odbc_fetch_row
odbc_field_len
odbc_field_name
odbc_field_num
odbc_field_precision
odbc_field_scale
odbc_field_type
odbc_foreignkeys
odbc_free_result
odbc_gettypeinfo
odbc_longreadlen
odbc_next_result
odbc_num_fields
odbc_num_rows
odbc_pconnect
odbc_prepare
odbc_primarykeys
odbc_procedurecolumns
odbc_procedures
odbc_result_all
odbc_result
odbc_rollback
odbc_setoption
odbc_specialcolumns
odbc_statistics
odbc_tableprivileges
odbc_tables
eXTReMe Tracker