Cannot get a sql server php prepared statement to work


We’re getting Web Vulnerabilities errors from some of our code. I’ve replaced some of the in-house sanitize code that we’re using, with PHP filter_…() functions. But I also want to replace our sqlsrv_query function with prepared statements.

We’re calling a Stored Procedure to do this insert. And this has worked fine:

$spSQL = "{call p_1A_insert ( ?, ?, ?, ?, ?, .....
$storedProc = sqlsrv_query( $queryLink, $spSQL, $spParams );

, but when we convert the above to this:

$sql_prep = "EXEC p_1A_insert( ?, ?, ?, ?, ?, .....
$stmt = sqlsrv_prepare( $queryLink, $sql_prep, $spParams ) ;
$storedProc = sqlsrv_execute( $stmt ) ;

, it generates an error.
Array ( [0] => Array ( [0] => 42000 [SQLSTATE] => 42000 [1] => 102 [code] => 102 [2] =>
[Microsoft][ODBC Driver 11 for SQL Server][SQL Server]Incorrect syntax near
@P1’. [message] => [Microsoft][ODBC Driver 11 for SQL Server][SQL Server]Incorrect syntax near ‘@P1’.

There IS no P1 variable or any other reference in our stored procedure or php code.

This type of error has been flagged as having a multitude of causes on the web. But most of them don’t seem relevant, except maybe for a Driver Error.

Does anyone have suggestions for the best way to approach this? I don’t have access to the PHP Server, can’t copy any dlls or update php.ini ; and therefore am stuck with Driver 11.