Hi,
SETUP:
PHP 5.4
MS SQL Express 2012
Windows Server 2012
After some excellent help the other day with my 'Traffic Lights' script, I got everything working with sqlsrv as required for MSSQL. 😃
Then my boss spots the SQL injection error with a single quote! :eek: Do'h!
OK, research tells me that the best way to avoid SQL injection errors is to use PDO and bindParam.
Makes sense, so I have converted most of my pages over to PDO_sqlsrv without to much bother, until I got to the main Traffic Light page.....
Existing PHP sqlsrv
// SQL Lookup
$s_sql = "SELECT TOP 1 Current_Status_ID FROM IT_t_services ORDER by Current_Status_ID DESC";
$getServices= sqlsrv_query($conn, $s_sql);
sqlsrv_fetch($getServices);
$field = sqlsrv_get_field($getServices, 0);
// echo $field; // Diagnostis Only
if ( $field =="SC005 ")
{
$dis_image = "IT_red.jpg";
}
else if ( $field =="SC004 ")
{
$dis_image = "IT_red.jpg";
}
else if ( $field =="SC003 ")
{
$dis_image = "IT_amber.jpg";
}
else if ( $field =="SC002 ")
{
$dis_image = "IT_amber.jpg";
}
else if ( $field =="SC001 ")
{
$dis_image = "IT_green.jpg";
}
I know that the IF... ELSE... should be fine but I'm having trouble finding PDO_sqlsrv alternatives for the sqlsrv statements.
$getServices= sqlsrv_query($conn, $s_sql);
sqlsrv_fetch($getServices);
$field = sqlsrv_get_field($getServices, 0);
I can't get PDO_sqlsrv to produce a single string result like this sqlsrv code does.
I will continue to try and find a solution, but if anyone has already got one, I would much appreciate it.
Thanks,
Barry.
