Hi,
We’re getting Web Vulnerabilities errors from some of our code. I’ve replaced some of the in-house sanitize code that we’re using, with PHP filter_…() functions. But I also want to replace our sqlsrv_query function with prepared statements.
We’re calling a Stored Procedure to do this insert. And this has worked fine:
$spSQL = "{call p_1A_insert ( ?, ?, ?, ?, ?, .....
$storedProc = sqlsrv_query( $queryLink, $spSQL, $spParams );
, but when we convert the above to this:
$sql_prep = "EXEC p_1A_insert( ?, ?, ?, ?, ?, .....
$stmt = sqlsrv_prepare( $queryLink, $sql_prep, $spParams ) ;
$storedProc = sqlsrv_execute( $stmt ) ;
, it generates an error.
Array ( [0] => Array ( [0] => 42000 [SQLSTATE] => 42000 [1] => 102 [code] => 102 [2] =>
[Microsoft][ODBC Driver 11 for SQL Server][SQL Server]Incorrect syntax near
‘@P1’. [message] => [Microsoft][ODBC Driver 11 for SQL Server][SQL Server]Incorrect syntax near ‘@P1’.
There IS no P1 variable or any other reference in our stored procedure or php code.
This type of error has been flagged as having a multitude of causes on the web. But most of them don’t seem relevant, except maybe for a Driver Error.
Does anyone have suggestions for the best way to approach this? I don’t have access to the PHP Server, can’t copy any dlls or update php.ini ; and therefore am stuck with Driver 11.