(PHP 3 >= 3.0.6, PHP 4, PHP 5)

odbc_exec -- Prepare and execute a SQL statement


resource odbc_exec ( resource connection_id, string query_string [, int flags] )

Returns FALSE on error. Returns an ODBC result identifier if the SQL command was executed successfully.

odbc_exec() will send an SQL statement to the database server specified by connection_id. This parameter must be a valid identifier returned by odbc_connect() or odbc_pconnect().

See also: odbc_prepare() and odbc_execute() for multiple execution of SQL statements.

add a note add a note User Contributed Notes
delowing gmail dot com
28-Sep-2006 11:19
It is easy to inject evil code into SQL statements. This wraps parameters in quotes so they are not executable. In your own stored procedures you can convert the string to numeric as needed.

function sql_make_string($sin){
         return "'".str_replace("'","''",$sin)."'";

// this may delete all data from MYTABLE
$evil = "734'; DELETE FROM MYTABLE; print 'ha ha";
$sql = "SELECT * FROM MYTABLE WHERE mykey = '$evil'";
$rst = odbc_exec($connection,$sql);

// this probably will not delete the data.
$good = sql_make_string($evil);
$sql = "SELECT * FROM MYTABLE WHERE mykey =".$good
$rst = odbc_exec($connection,$sql);
denis at i39 dot ru
24-Aug-2006 08:24
I've got an error on MS SQL Server 2000, when tryed to execute query which grants rights to user to connect to database:

= "
 EXEC sp_grantdbaccess "
 EXEC sp_addrolemember  'db_owner','"
       if (!@
odbc_exec($db_Conn, $Query))
$strErrorMessage = odbc_errormsg($db_Conn);

The result was: Executing SQL directly; no cursor.

This query executes fine in MS's sql console. So it seems that problem is in odbc driver.
I've found desicion by removing first "EXEC".

It looks:
= "
 sp_grantdbaccess "
 EXEC sp_addrolemember  'db_owner','"
       if (!@
odbc_exec($db_Conn, $Query))
$strErrorMessage = odbc_errormsg($db_Conn);


P.S. Don't remove the second 'exec', 'cos MS returns another error :)
31-May-2006 08:02
Wouldn't it be better to use the database itself to find out if an id doesn't exist. eg: SELECT COUNT(id) as idCount FROM [Table] WHERE id = [ID]

Then check if idCount is zero or not.
joex444 at gmail dot com
22-Sep-2005 05:14
Maybe not the best way, but here's how I find out if a row doesn't exist:

if($id=="") {
//no rows
} else {

Where the 'id' field is a required field in your table...
30-Aug-2005 09:18
The following seems counterintuitive to me and so I am constantly getting burned by it.  Just thought I'd add a note for anyone else who might also get burned.

  if (!odbc_exec("select MyValue from MyTable where Key1='x' and Key2='y'"))

is not a good way to search for the existence of a record with Key1 = x and Key2 = y.  The odbc_exec always returns a result handle, even though there aren't any records.

Rather, you must use one of the fetch functions to find out that the record really doesn't exist.  This should work:

  if (!($Selhand = odbc_exec("select MyValue from MyTable where Key1='x' and Key2='y'"))
   || !odbc_result($Selhand, 1))
fuadMD at gmail dot com
24-May-2005 03:34
// - This is a complete working dynamic example of using:
//    odbc_connect, odbc_exec, getting col Names,
//    odbc_fetch_row and no of rows. hope it helps
// - your driver should point to your MS access file

$conn = odbc_connect('MSAccessDriver','','');


if (
$sql "select * from $month";
//this function will execute the sql satament
$result=odbc_exec($conn, $sql);

"<table  align=\"center\" border=\"1\" borderColor=\"\" cellpadding=\"0\" cellspacing=\"0\">\n";
"<tr> ";
// -- print field name
$colName = odbc_num_fields($result);
for (
$j=1; $j<= $colName; $j++)
"<th  align=\"left\" bgcolor=\"#CCCCCC\" > <font color=\"#990000\"> ";
odbc_field_name ($result, $j );
"</font> </th>";
// end of field names
while(odbc_fetch_row($result)) // getting data
 if (
$c%2 == 0 )
"<tr bgcolor=\"#d0d0d0\" >\n";
"<tr bgcolor=\"#eeeeee\">\n";
       if (
$i%$j == 0
$nrows+=1; // counting no of rows   


"</td> </tr>\n";
"</table >\n";
// --end of table 
if ($nrows==0) echo "<br/><center> Nothing for $month yet! Try back later</center>  <br/>";
else echo
"<br/><center> Total Records:  $nrows </center>  <br/>";
odbc_close ($conn);

else echo
"odbc not connected <br>";
james @ php-for-beginners co uk
18-Mar-2005 08:54
hi all, I managed to get this little snippet working, it's pretty useful if you have long forms to be inserted into a database.

if ( ! empty ( $_POST ) ){
 foreach($_POST as $key => $val){
  $columns .= addslashes($key) . ", ";
   $values .= "'" . addslashes($val) . "', ";
 $values = substr_replace($values, "", -2);
 $columns = substr_replace($columns, "", -2);
 $sql = "INSERT INTO table ($columns) VALUES ($values)";
 echo $sql;
 $results = odbc_exec($conn, $sql);
                 if ($results){
             echo "Query Executed";
               }else {
             echo "Query failed " .odbc_error();

Not the most secure in the world but, speeds up collecting data from large forms.
mramirez at star-dev dot com
01-Mar-2005 08:23
Hi, I was trying to execute an stored procedure with
PHP 4.3.10 and MS SQL Server 6.5 using PHP function
"odbc_exec" and ODBC.

The problem was that it returned an ouput parameter
and didn't  know the right PHP functions and SQL
syntax to call it.

Finally after looking elsewhere, it worked this way:




= 'myservername'
$database = 'mydatabasename';
$username = 'myusername';
$password = 'mypassword';

$connection_string =
'DRIVER={SQL SERVER};SERVER=' . $server . ';DATABASE=' . $database;

$connection = odbc_connect($connection_string, $username, $password);

$sql  = "BEGIN ";
$sql .= "  declare @MyOutputValue int ";
$sql .= "  execute MyStoredProc @MyOutputValue output select @MyOutputValue ";
$sql .= "END ";

'<form>' . chr(13);
'<table border="1">' . chr(13) . chr(13);

$query = odbc_exec($connection, $sql);

'<tr>' . chr(13);

// "odbc_result" = "FieldByNumber(Index)",
     // "Index" starts with 1 not 0 !!! :
$returnvalue = odbc_result($query, 1);

'<td>' . $returnvalue . '</td>';
'</tr>' . chr(13);

'</table>' . chr(13);
'</form>' . chr(13);






Good Luck.
Tom Cully <mail at tomcully dot com>
01-Mar-2005 12:22
MS Access through ODBC doesn't just not like quotes (escape with '' - two single quotes), it also really hates newlines - chr(10)s - in LONGCHAR fields, and maybe in other BINARY based fields as well. Leave in a return character - chr(13) - to get a "new line" when working with LONGCHAR fields in ODBC/MS Access:

Here's a function to do both for you:

function odbc_access_escape_str($str) {
 for($a=0; $a<strlen($str); $a++) {
  if($str[$a]=="'") {
  } else
  if($str[$a]!=chr(10)) {
 return $out;
d dot soussan at sovereignls dot co dot uk
17-Jan-2005 12:19
re the note from: sk2xml at gmx dot net 21-Nov-2001 02:15

About [] not working with Access.

if you use [] arount the field name then you must also use them around the table name, thus:

select [table1].[field1] from table1

That is standard Access syntax.

sk2xml's example had:

select table1.[field1] from table1

which will always fail.
Philip_Neeson at Hotmail dot com
15-Nov-2004 06:20
I kept getting FATAL: emalloc() errors when using select statements via odbc for MS SQL.

I had no control over the DB as it is a commercial CRM system.

I found that by 1st issuing an SQL query of "set textsize 9999;' within my PHP script is has resolved the issue..

I am running PHP 3.x on a Windows 2000 server that is patched to the max,

I spent hours on this one trying diferent ODBC drivers etc and this simple SQL resolved the issue.
sameer dot kelkar at gmail dot com
31-Aug-2004 06:26
$callstore  = odbc_exec($conn, "{CALL procedurename('" . $para1 . "','" . $para2 . "',1,'125478')}");
           $returnmessage  =  odbc_result($callstore,1);
       echo $returnmessage;
victor dot kirk at serco dot com
26-May-2004 08:47
rupix said above:
> it does not work. However if I use single quotes instead of \" the thing runs smoothly

SQL uses 'single quotes' to specify strings, thats why a \" does not work.
Sean Boulter
22-Apr-2004 08:50
Update to my previous post... Another way to solve the problem with single quotes (at least in my environment (php 4.3.6, ODBC to MS Access db)), is to edit the php.ini file and set magic_quotes_gpc = On and magic_quotes_sybase = On.  Note that this is a global setting, which may or may not be desirable.
Sean Boulter
22-Apr-2004 08:28
If a single quote exists within the field specified by your WHERE statement, ODBC fails because of a parsing error.  Although it seems intuitive, using \" around the field does not work (\"$var\").  The only solution I found was to replace all single quotes in my field with two single quotes.  ODBC interprets the first single quote as an escape character and interprets the second single quote as a literal.  Thanks to http://www.devguru.com/features/knowledge_base/A100206.html for this tip.
christopherbyrne at hotmail dot com
23-Jan-2004 05:33
When you pass a parameter to an Access procedure all data types (seemingly) can be single quoted and dates do not need (and will not work when) surrounded by #'s.

Hope this helps!
rob at vendorpromotions dot com
17-Jun-2003 04:29
This opens select statements 'for update' by default in db2.  If you're using db2, you have to tack on 'for read only' at the end to select from SYSCAT.TABLES, for example, without firing an error like

Warning: SQL error: [IBM][CLI Driver][DB2/LINUX] SQL0151N The column "MAXFREESPACESEARCH" cannot be updated. SQLSTATE=42808 , SQL state 42808 in SQLExecDirect

For example :

$query = odbc_exec($conn, "select * from syscat.tables for read only");

will work (only for db2).  I don't know about other databases.

The select statement will work in the 'db2' command line, but not in php, because of this side effect.
rupix at rediffmail dot com
05-Apr-2003 11:05
I tried the following line of code

=odbc_connect("pbk", "root","") or die(odbc_errormsg());
$q="insert into pbk values(\"$name\", \"$phone\")";
odbc_exec($odbc, $q) or die("<p>".odbc_errormsg());

it does not work. However if I use single quotes instead of \" the thing runs smoothly

thus the following would work

=odbc_connect("pbk", "yourworstnightmare","abracadabra") or die(odbc_errormsg());
$q="insert into pbk values('$name', '$phone')";
odbc_exec($odbc, $q) or die("<p>".odbc_errormsg());

Also having a user dsn is no good on win2k. Always have a System DSN. I don't know yet what are the implications of the same.
das_yrch at hotmail dot com
07-Mar-2003 07:17
I tried this way to see the results of a query and it works!!

$Conn = odbc_connect
("bbdd_usuaris","","",SQL_CUR_USE_ODBC );

$result=odbc_exec($Conn,"select nom from usuaris;");

       echo "Result is ".odbc_result($result,$i);
miguel dot erill at doymer dot com
24-Jul-2002 06:33
In a previous contribution it was told that if you're running NT/IIS with PHP 3.0.11 you can use MS Access dbs "stored procedures".

That was right, but if those stores procedures have parameters you have to supply them in the command line like this:

$conn_id = odbc_connect( "odbc_test_db", "","", SQL_CUR_USE_DRIVER );
$qry_id = odbc_do( $conn_id, "{CALL MyQuery(".$param.")}" );
martin at NOSPAMkouba dot at
06-Feb-2002 12:37
"[Microsoft][ODBC Microsoft Access Driver] Too few
parameters. Expected 1."

this not so clear to understand error comes when using access-odbc and a field name can't be found. check for correct spelling of fields.
lee200082 at hotmail dot com
22-Jan-2002 09:07
As an addition to the note about square brackets earlier:

Enclosing sql field names in '[' and ']' also allows you to use MS Access reserved words like 'date' and 'field' and 'time' in your SQL query... it seems that the square brackets simply tell Access to ignore any other meaning whatever is inside them has and take them simply as field names.
mh at maxx-web dot de
07-Jan-2002 01:25
Ich habe beim Nutzen von odbc_exec($conn, $sql); einen Bug entdeckt.

Wenn das SQL Statement ein reines "update" Statement ist so wird es nicht in die Datenbank geschrieben.

Erst nach dem Aufruf eines erneuten "Select" Statements, werden die Daten des vorigen Update Statements geschrieben.
$sql="select * from UserQuotas";
odbc_exec($conn, $sql);

Ich weiss nicht ob mein System daran Schuld ist oder ob es wirklich ein Fehler ist. Ein Oracle spezifisches "commit" habe ich zumindest nirgends gefunden.
sk2xml at gmx dot net
21-Nov-2001 10:15
Problem: Fieldnames in SQL-Statement have blanks and [] don't work!

Solution: Try "" instead


SELECT table2.first, table1.[last name] FROM tabel1, table2 -> don't work

SELECT table2.first, table1.\"last name\" FROM tabel1, table2 -> Try this

PS: Don't forget the espace characters !!!
david dot geere at nospam dot talk21 dot com
18-Aug-2001 04:08
Problem: Kept getting FATAL: emalloc() errors when using basic select statements via odbc for informix ....
Solution: Cast the columns to an informix odbc friendly type...I chose varchar(255)
example: select description::varchar(255) from objects;

Don't go through the 4 hours I just went through for this..you :-) me :-(
cfewer1 at home dot com
15-Aug-2001 05:25
If you're receiving a 'Syntax error in INSERT INTO ..<snip>.. SQL State 37000 in SQLExecDirect' error, try enclosing the field names between square brackets.


INSERT INTO whatever ([blah],[who],[what]) VALUES ('blah','blah','blah');

I spent 4 hours tryin to get this insert statement (without the []'s) to work. This seems to have fixed it.

[]'s, apparently according to MS, should be used with table/field names with spaces. Im not sure if this is an MS ODBC thing, or a PHP flaw.

tested with: win32/php4.0.6/apache1.3.20/odbc/mdac2.6sp1
akchu at at ualberta dot ca
08-Jan-2001 12:41
ODBC/MS Access Date Fields:

Matching dates in SELECT statements for MS Access requires the following format:
#Y-m-d H:i:s#

for example:

SELECT * FROM TableName WHERE Birthdate = #2001-01-07 00:00:00#


SELECT * FROM TableName WHERE Birthdate BETWEEN #2000-01-07 00:00:00# AND #2001-01-07 00:00:00#

This took me forever to figure out.
vpil at retico dot com
06-Nov-2000 10:24
Additional links to ODBC_exec:
How to actually write the SQL commands:
Demystifying SQL
Introduction to Structured Query Language
Covers read, add, modify & delete of data.
phobo at at at paradise dot net dot nz
02-Nov-2000 10:26
If Openlink -> MS Access Database fails and gives "Driver Not Capable" error or "No tuples available" warning, use the SQL_CUR_USE_ODBC cursor when using odbc_connect()...

andreas dot brunner at rubner dot com
08-Jul-2000 07:54
I wanted to access an MSAccess database via ODBC. The connection functioned without problems, but when I placed a SQL statement into my odbc_exec() i always got an error:
Warning: SQL error: [Microsoft][ODBC Driver Manager] Driver does not support that function, SQL state IM001 in SQLSetStmtOption in \\Server\directory/test.php3 on line 19.

Resolved my problem by myself: i simply had to install a new odbc-driver from the microsoft homepage.
gross at arkana dot de
28-Oct-1999 09:03
If you're running NT/IIS with PHP 3.0.11 and want to use MS Access dbs with "stored procedures" you can send an ODBC SQL query like:

$conn_id = odbc_connect( "odbc_test_db", "", "", SQL_CUR_USE_DRIVER );
$qry_id = odbc_do( $conn_id, "{CALL MyQuery}" );

This way you don't need to integrate query strings like

SELECT * FROM TblObject WHERE (((TblObject.something) Like "blahblahblah"));

in the php file. You directly call the query "MyQuery" that was generated by MS Access.
rmkim at uwaterloo dot ca
26-Aug-1999 02:13
for Win32(NT) and MSAcess 2000, whenever you retrieve a date column/field, php will automatically convert it to 'yyyy/mm/dd hh:mm:ss' format regardless of the style of date you've denoted in Access.
This seems to pose a problem when you exec SELECT, UPDATE, or DELETE queries, but strangley INSERT works fine. I've tried parsing the date into the desired format, but php still yells criteria mismatch.