1

I am doing some maintenance work on an older system that is running PHP 4 and talks to a MS SQL2000 database via FreeTDS. I know, it already sounds somewhat scary!

A lot of the code used unsafe string-concatenation for generating SQL queries. I have done some work to try and filter the input to make things safer but it is giving me a headache.

I am wondering if there is a something out there that will allow my to do proper parameterized queries given my current setup? At this point I am unable to change the versions of PHP or MSSQL.

Improve this question

2 Answers 2

Reset to default
1

If your primary interest in parameterized queries is SQL Injection safety, I'd look for a database abstraction layer that provides the functionality for you and is written in pure PHP. I've used ADOdb and it's a decent option, and it looks like they still have an older PHP4 version available for download.

The only caveat to this is the abstraction layer may not do "proper" parameterized queries with you database. In other words, they may have implemented their own parameterizing engine, and then send off full SQL strings to the database. This is important with MS SQL Server, as "proper" parameterized queries can bring a significant performance increases.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Took awhile to investigate, but ADOdb seems to be working well. Thanks for the advice!
1

Use a database abstraction layer like MDB2 that provides them.

Improve this answer

1 Comment

That appears to be a good option that I had looked into before, although I couldn't find a reference that MDB2 would work with PHP4. Do you know if that is the case?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.