ODBC prepared statements in PHP

Question

I\'m trying to use odbc_prepare and odbc_execute in PHP as follows:

$pstmt=odbc_prepare($odb_con,\"select * from configured where param_name=\'?\'\");
$res=o         


        

Answer 1

You should not enclose variables in quotes in a prepared statement:

$pstmt=odbc_prepare($odb_con,"select * from configured where param_name=?");
$res=odbc_execute($pstmt,array(" 'version'"));

should be:

$pstmt=odbc_prepare($odb_con,"select * from configured where param_name=?");
$res=odbc_execute($pstmt,array("version"));

Question marks represent parameter placeholders, the value passed is meant to represent an unescaped, unenclosed value, which will be properly escaped by the SQL interpreter.