ODBC和SQL Server 2008:不能使用准备好的语句? [英] ODBC and SQL Server 2008: Can't use prepared statements?

问题描述

好，所以我无法使它起作用(两个都可以):

OK, so I cannot get this to work (either):

$stmt = odbc_prepare($conn, "SELECT * FROM Users WHERE username=?");
odbc_execute($stmt, array($username));
$user = odbc_fetch_object($stmt);


$stmt = $pdo->prepare("SELECT * FROM Users WHERE username=?");
$stmt->execut(array($username));
$user = $stmt->fetchObject();

两者都返回相同的错误:

Both return the same errors:

警告:odbc_execute():SQL错误:无法获取错误消息，SQL SQLExecute中的状态HY000 第24行的user.php

Warning: odbc_execute(): SQL error: Failed to fetch error message, SQL state HY000 in SQLExecute in user.php on line 24

任何人都知道是否有可能解决此问题，或者是否准备好了表外的语句?如果是这样，应该如何防范SQL注入?

Anyone know if it's possible to solve this, or are prepared statements off the table? If so, how should guard against SQL injections?

推荐答案

我从不使用fetchObject方法，但是呢?

I never use the fetchObject method but how about this:

$stmt = $pdo->prepare("SELECT * FROM Users WHERE username=?");
$stmt->bindValue(1, $username);
try{
    $stmt->execute();
    while ($row = $stmt->fetch()){
       // Do whatever.
    }
}catch(PDOException $e){
    echo($e->getMessage());
}

我还注意到您问号('?')周围的单引号，不应放在单引号中.

I also notice the single quotes around your question mark ('?'), they shouldn't be there.

为了使用try/catch东西，在创建PDO连接时需要包括以下内容:

In order to use the try/catch stuff you'll need to include this when you create your PDO connection:

$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

您可能还希望添加它:

$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, FALSE); // Try to use the driver's native prepared statements.

这篇关于ODBC和SQL Server 2008:不能使用准备好的语句?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！