I've looked over several other questions that seem (from the titles) the same as this. However, my case is a bit different.
The following works (i.e. I get "success" and my database performs what I expect when running the procedure with the given variables):
$sql = "MyDB.dbo.myProcedure {$var1}, {$var2}, {$var3}";
$result = sqlsrv_query($myConn, $sql);
if (!$result) {
echo 'Your code is fail.';
}
else {
echo 'Success!';
}
I want to avoid (or lessen the possibility of) SQL injection by creating the SQL string using parameters. For example:
$sql = "select * from aTable where col1 = ? AND col2 = ?";
$result = sqlsrv_query($myConn, $sql, array($var1, $var2));
//please note. This code WILL work!
But when I do that with a stored procedure it fails. It fails with no errors reported via sqlsrv_errors(), no action taken in database, and $result === false.
To be clear, the following fails:
$sql = "MyDB.dbo.myProcedure ?, ?, ?";
$result = sqlsrv_query($myConn, $sql, array($var1, $var2, $var3));
Likewise a prepare/execute statement created the same way will also fail:
$sql = "MyDB.dbo.myProcedure ?, ?, ?";
$stmt = sqlsrv_prepare($myConn, $sql, array(&$var1, &$var2, &$var3));
foreach($someArray as $key => $var3) {
if(sqlsrv_execute($stmt) === false) {
echo 'mucho fail.';
}
}
//this code also fails.
For completeness, I have confirmed that the stored procedure in question works directly within SQL Management Studio AND if called the way I mentioned above. Likewise, I have confirmed that I can use parameterized queries for any raw query (like an insert, select, update vs a stored procedure).
So, my question is how can I call a stored procedure using the parameterized query vs embedding the variables in the query string?
More importantly, I am actually wanting to use a prepare/execute, so hopefully the answer will allow this to work as well.
See Question&Answers more detail:
os 
