MSSql returns only Resource id #3 response on echo sqlsrv_query()

Question

Getting the same kinda issue with all of my apis.. On echo sqlsrv_query(); gives the response Resource id #3. Also cant find any way to see whether the data returned is empty or not.. May be because of the Resource id #3 response my query data is hampered. Please do help.

Below is my code.

<?php
// the connection part of the code.......
$connectionInfo = array( 
    "UID"=>$uid,"PWD"=>$pwd,"Database"=>$databaseName,"CharacterSet" => "UTF-8");   

/* Connect using SQL Server Authentication. */    
$conn = sqlsrv_connect( $serverName, $connectionInfo); 
if( $conn === false ) {
 die( print_r( sqlsrv_errors(), true));
}

$username= $_REQUEST['username'];
$password= $_REQUEST['password'];

if($username && $password)
{
    $query = "SELECT NAME,LOGINID,PASSWORD FROM SMS_ACCESS WHERE LOGINID = '$username' AND   PASSWORD = '$password'";
    /* Execute the query. */    
    $stmt = sqlsrv_query( $conn,$query);    
    $json = array(); 

    echo $stmt;

    if ( $stmt === false)    
    {       
        $json["status_code"] = "203";
        $json["status"] = "Error in execution";
            //echo "Error in statement execution.\n";    
        die( print_r( sqlsrv_errors(), true));    
        echo json_encode(['data'=>[$json]]);
    }     
    else     
    {    
        while($row = sqlsrv_fetch_array( $stmt,  SQLSRV_FETCH_ASSOC)) 
        {
            $json["name"] = $row['0'];
        }
            //echo json_encode(['status_code' => "200",'status' => "success",'data'=>[$json],'Msg' => "Login Successful !!"]);
    }    
}
else {
    $json["status_code"] = "203";
    $json["status"] = "Parameter Missing !!";   
    die( print_r( sqlsrv_errors(), true));  
    echo json_encode(['data'=>[$json]]);
}

/* Free statement and connection resources. */    
sqlsrv_free_stmt($stmt);    
sqlsrv_close( $conn);    
?>

Are you storing passwords as plain text? – Matt Gibson Nov 30 '17 at 19:15 — Matt Gibson, Nov 30 '17 at 19:15
@MattGibson I knew I was forgetting something! – miken32 Dec 02 '17 at 00:26 — miken32, Dec 02 '17 at 00:26

score 1 · Accepted Answer · answered Nov 30 '17 at 19:03

If you read the documentation you'll find that sqlsrv_query returns "a statement resource on success and FALSE if an error occurred." You can't print a resource, so this behaviour is expected.

Next, you aren't actually outputting any JSON, which might explain why you're having problems with the APIs. die stops program execution immediately.

If you were outputting JSON, you're sending it with the wrong content type, and you're sending it in an inconsistent format. The error conditions have status and status_code inside a data element, while success does not.

You're fetching your database query as an associative array but then trying to use a numeric index to get a column value. As well, you don't need to loop over the result if you're only getting a single row.

Finally, you open yourself up to SQL injection by blindly inserting user-provided data into your query. This is a very bad idea, and will allow anyone to log in without authentication.

Try something like this instead:

<?php
$connectionInfo = [ 
    "UID"          => $uid,
    "PWD"          => $pwd,
    "Database"     => $databaseName,
    "CharacterSet" => "UTF-8",
];

$conn = sqlsrv_connect($serverName, $connectionInfo); 
if ($conn === false) {
    $data = [
        "status_code" => "203",
        "status"      => "Database error",
    ];
    header("Content-Type: application/json");
    echo json_encode($data);
    exit;
}

$username= $_REQUEST['username'];
$password= $_REQUEST['password'];

if(empty($username) || empty($password)) {
    $data = [
        "status_code" => "203",
        "status"      => "Parameter Missing !!",
    ];
    header("Content-Type: application/json");
    echo json_encode($data);
    exit;
}

$query = "SELECT NAME FROM SMS_ACCESS WHERE LOGINID = ? AND PASSWORD = ?";
$parameters = [$username, $password];
$stmt = sqlsrv_query($conn, $query, $parameters);
if ($stmt === false) {       
    $data = [
        "status_code" => "203",
        "status"      => "Error in execution",
    ];
    header("Content-Type: application/json");
    echo json_encode($data);
    exit;
}
$row = sqlsrv_fetch_array($stmt);
$data = [
    "status_code" => "200",
    "status"      => "success",
    "data"        => [
        "name"    => $row[0]
    ],
];
header("Content-Type: application/json");
echo json_encode($data);

sqlsrv_free_stmt($stmt);    
sqlsrv_close($conn);

hey hi this works fine..thanx for your help..but if im entering the wrong values of username or pwd the api is still returning success instead of failure.. — Shivani, Dec 01 '17 at 07:10
i wana see whether the pwd or username are matching or not..if they arent then api should return failure as reponse... — Shivani, Dec 01 '17 at 08:08

MSSql returns only Resource id #3 response on echo sqlsrv_query()

1 Answers1