在 PHP 中运行 SQL 存储过程答案

【问题标题】：Running SQL Stored Procedure in PHP在 PHP 中运行 SQL 存储过程
【发布时间】：2014-07-16 20:47:08
【问题描述】：

我不熟悉 PHP，但我想弄清楚为什么这不起作用。我试图运行一个 SQL 存储过程，它通过 php 接收一些参数。此代码应该在表单中添加额外的一行，用于根据条件输入用户数据。当我直接在 SQL Server Management Studio 中运行存储过程时，它工作正常并将行添加到后端表并反映前端表单中的行，但是当尝试使用底层代码在前端添加行时，我没有收到任何错误，也没有任何更新。

我不熟悉 PHP，但我正在努力学习并弄清楚为什么这不起作用。非常感谢任何帮助。

这是底层的 PHP 代码。

<?PHP include 'Connections/PromAPPS01Connection.php'; ?>
<?php
session_start();
$sUserid = "9999";
if(isset($_SESSION['sUserID'])){
    $sUserid = $_SESSION['sUserID'];
    //echo "Yes";
}
else{
    /* Redirect browser */
    header("Location: LoginSession.php");
    /* Make sure that code below does not get executed when we redirect. */
    exit;
    //echo "No";
}

$sPostPropertyId = $_POST["Props"];
$sPostGroupId = $_POST["AcctGroup"];
$sRecordStart = $_POST["RS"];
$sPostAcct = $_POST["Acct"];
$sPostYear = $_POST["Year"];
$sBudgetID = $_POST["BudgetID"];
$sPostRowCount = $_POST["AcctCount"];
$sSubmitType = $_POST["SubmitType"];
$sView = $_POST["View"];
$sAddLineAcct = $_POST["NewLineAcct"];
$sAddLineProp = $_POST["NewLineProp"];
$sAddLineYear = $_POST["NewLineYear"];
$sPropertyNumber = $_POST["PropertyNumber"];
$sType = $_POST["Type"];
$sDept = $_POST["Dept"];
$sComments = $_POST["Comments"];
$sAddType = $_POST["AddType"];

$sqlNewLine = "Exec Budgeting.procAddNewLines '". $sPostPropertyId ."', '". $sPropertyNumber ."', '". $sAddLineAcct ."', '". $sAddType ."','". $sType ."', '". $sAddLineYear ."', '". $sPostYear ."', '". $sComments ."', '". $sUserid ."','". $sDept ."' ";
//echo "<br>";
//echo $sAddType ." & ". $sAddLineYear . " &". $sPostYear;

if ($sRecordStart == ""){ 
    $sRecordStart = 0;
}

$iNextRS = $sRecordStart;

$navigateLocation = "PlanSheetProperty.php";

//echo "<br>";
//  echo $sqlNewLine;
    // Executing the sql update code
        //conn.Execute sql_New_Line
    //#####################################################################
    $stmtNewLine = sqlsrv_prepare($dbLink, $sqlNewLine);

    sqlsrv_execute($stmtNewLine);
            //#################################

?> 
<html>
<head>
<Link Rel="Stylesheet" href="RenewStyle.css" type="text/css">
    <title>The Budget Machine</title>
</head>
<!--body-->
<body onLoad="document.AcctUpdate.submit();">
<?PHP include 'Top.php'; ?>

<table width="100%" bordercolor="#003366" cellpadding="0" cellspacing="0"><tr><td>
<table width="100%" cellpadding="3" cellspacing="0" border="0">
    <tr class="Title1">
        <td valign="bottom">&nbsp;

        </td>
        <td colspan="5" rowspan="2" valign="middle" nowrap>&nbsp;

        </td>
        <td colspan="13" align="right" valign="bottom" nowrap>&nbsp;

        </td>
        <td align="right" valign="bottom" nowrap>&nbsp;

        </td>
        <td align="right" valign="bottom" nowrap>&nbsp;

        </td>
        <td align="right" valign="bottom" nowrap>
        <!--input type="Button" value="< Back to Properties" onClick="document.location='PropertyList.asp'"-->
        </td>
        <td valign="bottom">&nbsp;

        </td>
    </tr>
    <tr class="Title1">
        <td valign="bottom">&nbsp;

        </td>
        <td colspan="5" rowspan="2" valign="middle" nowrap>&nbsp;

        </td>
        <td colspan="13" align="left" valign="bottom" nowrap>
        Saving data...<br>
        Please be patient
        </td>
        <td align="right" valign="bottom" nowrap>&nbsp;

        <form method="post" action="<?php echo $navigateLocation ?>" name="AcctUpdate" id="AcctUpdate" />        
        <input type="hidden" name="RS" id="RS" value="<?PHP echo $iNextRS ?>">
        <input type="hidden" name="Props" id="Props" value="<?PHP echo $sPostPropertyId ?>">
        <input type="hidden" name="AcctGroup" id="AcctGroup" value="<?PHP echo $sPostGroupId ?>">
        <input type="hidden" name="GLAcct" id="GLAcct" value="<?php echo $sAddLineAcct ?>">
        <input type="hidden" name="AcctCount" id="AcctCount" value="<?PHP echo $sPostRowCount ?>">
        <input type="hidden" name="BudgetID" id="BudgetID" value="<?PHP echo $sBudgetID ?>">
        <input type="hidden" name="NewLineAcct" id="NewLineAcct" value="<?php echo $sPostAddLineAcct ?>">        
        <input type="hidden" name="PropertyNumber" id="PropertyNumber" value="<?php echo $sPostPropertyNumber ?>">
        <input type="hidden" name="SubmitType" id="SubmitType" value="<?php echo $sSubmitType ?>">
        <input type="hidden" name="View" id="View" value="<?php echo $sView ?>">
        <input type="hidden" name="NewLineProp" id="NewLineProp" value="<?php echo $sPostAddLineProp ?>">
        </form>
        </td>
        <td align="right" valign="bottom" nowrap>&nbsp;

        </td>
        <td align="right" valign="bottom" nowrap>&nbsp;

        </td>
        <td align="right" valign="bottom" nowrap>
        </td>
        <td valign="bottom">&nbsp;

        </td>
    </tr>
     </table>
</td></tr></table>

</body>
</html>

这是存储过程：

 SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
ALTER Procedure AddNewLines
(
    @PropertyID numeric (10,0) = NULL,
    @PropertyNumber varchar (30) = NULL,
    @GLAccountNumber varchar (10) = NULL,
    @InsertType varchar (10) = NULL,
    @LineAssoc varchar (10) = NULL, 
    @ClickYear varchar (30) = NULL,
    @Year varchar (30) = NULL,
    @Comments varchar (800) = NULL,
    @User int = NULL,
    @DeptCode varchar (10) = NULL
) AS




IF @InsertType = 'Single'
    BEGIN
    IF @LineAssoc = 'Project'
        BEGIN
        INSERT INTO BudDat(PropertyID, 
            PropertyNumber, 
            GLAccountNumber, 
            Project, 
            [Year], 
            BudgetID, 
            Comments, 
            LastChangedDate, 
            LastChangedBy) 
            VALUES (@PropertyID, 
            @PropertyNumber, 
            @GLAccountNumber, 
            'Y', 
            @ClickYear, 
            '', 
            @Comments, 
            getDate(), 
            @User)
        END



    IF @LineAssoc = 'None'
        BEGIN
        INSERT INTO BudDat(PropertyID, 
            PropertyNumber, 
            GLAccountNumber, 
            DeptCode, 
            [Year], 
            BudgetID, 
            Comments, 
            LastChangedDate, 
            LastChangedBy) 
            VALUES (@PropertyID, 
            @PropertyNumber, 
            @GLAccountNumber, 
            @DeptCode,
            @ClickYear, 
            '', 
            @Comments, 
            getDate(), 
            @User)
        END
    END

IF @InsertType = 'Multiple'
    BEGIN
    DECLARE @YearCount int
    Select @YearCount = 0
    IF @LineAssoc = 'Project'
        BEGIN
        WHILE (@YearCount < 5)
            BEGIN
            INSERT INTO BudDat(PropertyID, 
                PropertyNumber, 
                GLAccountNumber, 
                Project, 
                [Year], 
                BudgetID, 
                Comments, 
                LastChangedDate, 
                LastChangedBy) 
                VALUES (@PropertyID, 
                @PropertyNumber, 
                @GLAccountNumber, 
                'Y', 
                @Year, 
                '', 
                @Comments, 
                getDate(), 
                @User)
            Select @YearCount = @YearCount+1
            Select @Year = @Year+1
            END
        END



    IF @LineAssoc = 'None'
        BEGIN
        WHILE (@YearCount < 5)
            BEGIN
            INSERT INTO BudDat(PropertyID, 
                PropertyNumber, 
                GLAccountNumber, 
                DeptCode, 
                [Year], 
                BudgetID, 
                Comments, 
                LastChangedDate, 
                LastChangedBy) 
                VALUES (@PropertyID, 
                @PropertyNumber, 
                @GLAccountNumber, 
                @DeptCode,
                @Year, 
                '', 
                @Comments, 
                getDate(), 
                @User)
            Select @YearCount = @YearCount+1
            Select @Year = @Year+1
            END
        END
    END

【问题讨论】：

正如我所说，我对 PHP 了解不多，但是当从其他地方调用一个过程时，它并没有做不同的事情。我不知道如何从 PHP 中正确调用存储过程，但在我看来，您正在执行传递查询。这很容易受到 sql 注入的影响。你应该参数化你的过程调用。

标签： php sql sql-server stored-procedures

【解决方案1】：

我对 PHP 了解不多，但您可以大大简化存储过程。不需要循环之类的东西。这应该做同样的事情。

ALTER Procedure AddNewLines
(
    @PropertyID numeric (10,0) = NULL,
    @PropertyNumber varchar (30) = NULL,
    @GLAccountNumber varchar (10) = NULL,
    @InsertType varchar (10) = NULL,
    @LineAssoc varchar (10) = NULL, 
    @ClickYear varchar (30) = NULL,
    @Year varchar (30) = NULL,
    @Comments varchar (800) = NULL,
    @User int = NULL,
    @DeptCode varchar (10) = NULL
) AS

    IF @LineAssoc = 'Project'
        INSERT INTO BudDat(PropertyID, 
            PropertyNumber, 
            GLAccountNumber, 
            Project, 
            [Year], 
            BudgetID, 
            Comments, 
            LastChangedDate, 
            LastChangedBy) 
            select @PropertyID, 
            @PropertyNumber, 
            @GLAccountNumber, 
            'Y', 
            @ClickYear, 
            '', 
            @Comments, 
            getDate(), 
            @User
            from (VALUES (1),(2),(3),(4),(5)) as Numbers(x)
            where x <= case when @InsertType = 'Single' then 1 else 5 end


    IF @LineAssoc = 'None'
        INSERT INTO BudDat(PropertyID, 
            PropertyNumber, 
            GLAccountNumber, 
            DeptCode, 
            [Year], 
            BudgetID, 
            Comments, 
            LastChangedDate, 
            LastChangedBy) 
            SELECT @PropertyID, 
            @PropertyNumber, 
            @GLAccountNumber, 
            @DeptCode,
            @ClickYear, 
            '', 
            @Comments, 
            getDate(), 
            @User
            from (VALUES (1),(2),(3),(4),(5)) as Numbers(x)
            where x <= case when @InsertType = 'Multiple' then 1 else 5 end

顺便说一句...不太确定为什么将其标记为 sql-server。似乎程序本身很好。显然问题出在你的 php 中。

【讨论】：

是的，这是一个 php 问题，但尝试运行 SQL 存储过程。我的问题是为什么它不能通过 PHP 运行？