ODBC prepared statements in PHP

Question

I'm trying to use odbc_prepare and odbc_execute in PHP as follows:

$pstmt=odbc_prepare($odb_con,"select * from configured where param_name='?'");
$res=odbc_execute($pstmt,array('version'));
var_dump($res);  //bool(true)
$row = odbc_fetch_array($pstmt);
var_dump($row);  //bool(false)

The first var_dump returns true so the execute succeeds, but there is no row returned. A row does indeed exist with the param_name = 'version'. Why is no row returned?

To make things interesting, I ran another very simple example in php using a prepared insert.

$pstmt=odbc_prepare($odb_con,"insert into tmp1 values(?,'?')");

This line, by itself, inserted a row into the database!! Surely this is just wrong? The data entered was col 1 = blank, col 2 = ?

Any advice on where to start fixing this would be appreciated, thanks.

Edit: This is in PHP 5.2.8

Answer 1

Try removing the single quotes from the query string and adding them to the parameter value itself:

$pstmt=odbc_prepare($odb_con,"select * from configured where param_name=?");
$res=odbc_execute($pstmt,array(" 'version'"));
var_dump($res);  //bool(true)
$row = odbc_fetch_array($pstmt);
var_dump($row);  //bool(false)

The single space character at the beginning of the parameter value is very important--if the space is not there, it will treat the variable as a path to a file.

From http://www.php.net/manual/en/function.odbc-execute.php:

If you wish to store a string which actually begins and ends with single quotes, you must add a space or other non-single-quote character to the beginning or end of the parameter, which will prevent the parameter from being taken as a file name.

Answer 2

when I read this paragraph

Any parameters in parameter_array which start and end with single quotes will be taken as the name of a file to read and send to the database server as the data for the appropriate placeholder.

If you wish to store a string which actually begins and ends with single quotes, you must add a space or other non-single-quote character to the beginning or end of the parameter, which will prevent the parameter from being taken as a file name. If this is not an option, then you must use another mechanism to store the string, such as executing the query directly with odbc_exec()).

It seems to me that it isn't necessary to add single quotes ' to a string, only if you really want to have the quotes as text in the DB

Therefore if I only want to insert the text, without the single quotes I would write something like that ...

see this example from odbc-prepare

http://www.php.net/manual/en/function.odbc-prepare.php

Use this example for IBM DB/2:

$q = "update TABLE set PASS=? where NAME=?";
$res = odbc_prepare ($con, $q);

$a = "secret"; $b="user";
$exc = odbc_execute($res, array($a, $b));

This would result in the following statement

$pstmt=odbc_prepare($odb_con,"select * from configured where param_name=?");

$name = "version";
$params = array($name);

$res=odbc_execute($pstmt,$params);
var_dump($res);  //bool(true)

$row = odbc_fetch_array($pstmt);
var_dump($row);  //bool(false)

See that I not only removed the qoutes for the value in the params array but also removed the qoutes in the SQL statement.

please give feedback if this was right

Answer 3

You should not enclose variables in quotes in a prepared statement:

$pstmt=odbc_prepare($odb_con,"select * from configured where param_name=?");
$res=odbc_execute($pstmt,array(" 'version'"));

should be:

$pstmt=odbc_prepare($odb_con,"select * from configured where param_name=?");
$res=odbc_execute($pstmt,array("version"));

Question marks represent parameter placeholders, the value passed is meant to represent an unescaped, unenclosed value, which will be properly escaped by the SQL interpreter.

Answer 4

EDIT:

Gah, ignore me, misread php.net

odbc_fetch_array accepts as it's parameter the result of odbc_execute, you seem to be passing in the prepared statement.

Answer 5

What DBMS are you using? The fact that the lone insert prepare statement seems to be executed against the database rather than being prepared points to either a poor implementation of php (unlikely) or the DBMS not supporting prepared sql. If the latter is the case it is possible that their way of supporting the command with out the functionality is just to execute the statement leading to the results you get. If the DBMS does support prepared statements and the php implementation handles it properly there is some kind of issue with the insert being executed which also needs some investigation.

Answer 6

Did you try using double quotes? i.e.

$res=odbc_execute($pstmt,array("version"));