进行参数化查询
$conn = sqlsrv_connect($dbServer, $connectionInfo);
$query = "SELECT * FROM [users] WHERE [name] = ? AND [password] = ?";
$params = array("joebloggs", "pa55w0rd");
$stmt = sqlsrv_query($conn, $query, $params);
如果你打算多次使用相同的查询语句,使用不同的参数,则可以使用 sqlsrv_prepare()
和 sqlsrv_execute()
函数实现相同,如下所示:
$cart = array(
"apple" => 3,
"banana" => 1,
"chocolate" => 2
);
$query = "INSERT INTO [order_items]([item], [quantity]) VALUES(?,?)";
$params = array(&$item, &$qty); //Variables as parameters must be passed by reference
$stmt = sqlsrv_prepare($conn, $query, $params);
foreach($cart as $item => $qty){
if(sqlsrv_execute($stmt) === FALSE) {
die(print_r(sqlsrv_errors(), true));
}
}