Add parameters to a PHP mssql query

Question

Given the following query (in the code, NOT a stored procedure); how can I add parameters to the query rather than including the condition values directly in the query? In o

Answer 1

First of all abandon the outdated extension and use sqlsrv instead:

These functions allow you to access MS SQL Server database.

This extension is not available anymore on Windows with PHP 5.3 or later.

SQLSRV, an alternative driver for MS SQL is available from Microsoft: » http://msdn.microsoft.com/en-us/sqlserver/ff657782.aspx.

After that you get suppport for prepared statements:

$dbh = sqlsrv_connect ($serverName, $credentials);
$stmt = sqlsrv_prepare($dbh, 'SELECT lastname,firstname,address,phone,email FROM person WHERE lastname LIKE ?', array(&$lastName));


if(sqlsrv_execute($stmt))
{
   while(false !== ($row = sqlsrv_fetch_array($stmt)){
     // do stuff with $row
   }
}

Of course if i were i would just use PDO as others have suggested with presents the same interface to all db the extensions it supports.

If youre stuck using mssql for some reason then i believe youre also stuck manually escaping all your query parameters.