I am doing some maintenance work on an older system that is running PHP 4 and talks to a MS SQL2000 database via FreeTDS. I know, it already sounds somewhat scary!
A lot of the code used unsafe string-concatenation for generating SQL queries. I have done some work to try and filter the input to make things safer but it is giving me a headache.
I am wondering if there is a something out there that will allow my to do proper parameterized queries given my current setup? At this point I am unable to change the versions of PHP or MSSQL.
If your primary interest in parameterized queries is SQL Injection safety, I’d look for a database abstraction layer that provides the functionality for you and is written in pure PHP. I’ve used ADOdb and it’s a decent option, and it looks like they still have an older PHP4 version available for download.
The only caveat to this is the abstraction layer may not do “proper” parameterized queries with you database. In other words, they may have implemented their own parameterizing engine, and then send off full SQL strings to the database. This is important with MS SQL Server, as “proper” parameterized queries can bring a significant performance increases.