Elaborate emulate prepare and add an example

yitam · yitam · commit fe6274d7a14d · 2018-07-27T08:33:58.000-07:00
diff --git a/docs/connect/php/pdo-prepare.md b/docs/connect/php/pdo-prepare.md
@@ -1,7 +1,7 @@
 ---
 title: "PDO::prepare | Microsoft Docs"
 ms.custom: ""
-ms.date: "07/10/2017"
+ms.date: "07/20/2018"
 ms.prod: sql
 ms.prod_service: connectivity
 ms.reviewer: ""
@@ -43,7 +43,7 @@ The following table lists the possible *key_pair* values.
 |Key|Description|  
 |-------|---------------|  
 |PDO::ATTR_CURSOR|Specifies cursor behavior. The default is PDO::CURSOR_FWDONLY. PDO::CURSOR_SCROLL is a static cursor.<br /><br />For example, `array( PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY )`.<br /><br />If you use PDO::CURSOR_SCROLL, you can use PDO::SQLSRV_ATTR_CURSOR_SCROLL_TYPE, which is described below.<br /><br />See [Cursor Types &#40;PDO_SQLSRV Driver&#41;](../../connect/php/cursor-types-pdo-sqlsrv-driver.md) for more information about result sets and cursors in the PDO_SQLSRV driver.|  
-|PDO::ATTR_EMULATE_PREPARES|When PDO::ATTR_EMULATE_PREPARES is on, the placeholders in a prepared statement is replaced by bound parameters. A complete SQL statement with no placeholders is then sent to the database at Execute. <br /><br />PDO::ATTR_EMULATE_PREPARES can be used to bypass some restrictions in SQL Server. For example, SQL Server does not support named or positional parameters in some Transact-SQL clauses. Also, SQL Server has a limit of binding 2100 parameters.<br /><br />You can set the PDO::ATTR_EMULATE_PREPARES attribute to true. For example:<br /><br />`PDO::ATTR_EMULATE_PREPARES => true`<br /><br />By default, this attribute is set to false.<br /><br />**Note:** The security of parameterized queries is not in effect when you use `PDO::ATTR_EMULATE_PREPARES => true`. Your application should ensure that the data that is bound to the parameter(s) does not contain malicious Transact-SQL code.<br /><br />**Limitations:**: Because the parameters are not bound using the database's parameterized query feature, input_output and output parameters are not supported.|  
+|PDO::ATTR_EMULATE_PREPARES|By default, this attribute is false, which can be changed by this `PDO::ATTR_EMULATE_PREPARES => true`. See [Emulate Prepare](#emulate-prepare) for details and example.|
 |PDO::SQLSRV_ATTR_ENCODING|PDO::SQLSRV_ENCODING_UTF8 (default)<br /><br />PDO::SQLSRV_ENCODING_SYSTEM<br /><br />PDO::SQLSRV_ENCODING_BINARY|  
 |PDO::SQLSRV_ATTR_DIRECT_QUERY|When True, specifies direct query execution. False means prepared statement execution. For more information about PDO::SQLSRV_ATTR_DIRECT_QUERY, see [Direct Statement Execution and Prepared Statement Execution in the PDO_SQLSRV Driver](../../connect/php/direct-statement-execution-prepared-statement-execution-pdo-sqlsrv-driver.md).|  
 |PDO::SQLSRV_ATTR_QUERY_TIMEOUT|For more information, see [PDO::setAttribute](../../connect/php/pdo-setattribute.md).|  
@@ -91,7 +91,7 @@ print $stmt->rowCount();
 $stmt = null  
 ?>  
 ```  
-  
+
 ## Example  
 This example shows how to use the PDO::prepare method with a client-side cursor. For a sample showing a server-side cursor, see [Cursor Types &#40;PDO_SQLSRV Driver&#41;](../../connect/php/cursor-types-pdo-sqlsrv-driver.md).  
   
@@ -131,7 +131,89 @@ $row = $stmt->fetch( PDO::FETCH_NUM, PDO::FETCH_ORI_LAST );
 print_r($row);  
 ?>  
 ```  
-  
+
+<a name="emulate-prepare" />
+
+## Example 
+
+This example shows how to use the PDO::prepare method with PDO::ATTR_EMULATE_PREPARES set to true. 
+
+<?php
+$serverName = "yourservername";
+$username = "yourusername";
+$password = "yourpassword";
+$database = "tempdb";
+$conn = new PDO("sqlsrv:server = $serverName; Database = $database",  $username, $password);
+
+$pdo_options = array();
+$pdo_options[PDO::ATTR_EMULATE_PREPARES] = true;
+$pdo_options[PDO::SQLSRV_ATTR_ENCODING] = PDO::SQLSRV_ENCODING_UTF8;
+
+$stmt = $conn->prepare("CREATE TABLE TEST([id] [int] IDENTITY(1,1) NOT NULL, 
+                                          [name] nvarchar(max))", 
+                                          $pdo_options);
+$stmt->execute();
+
+$prefix = '가각';
+$name = '가각ácasa';
+$name2 = '가각sample2';
+
+$stmt = $conn->prepare("INSERT INTO TEST(name) VALUES(:p0)", $pdo_options);
+$stmt->execute(['p0' => $name]);
+unset($stmt);
+
+$stmt = $conn->prepare("SELECT * FROM TEST WHERE NAME LIKE :p0", $pdo_options);
+$stmt->execute(['p0' => "$prefix%"]);
+foreach ($stmt as $row) {
+    echo "\n" . 'FOUND: ' . $row['name'];
+}
+
+unset($stmt);
+unset($conn);
+?>
+
+The PDO_SQLSRV driver internally replaces all the placeholders with the parameters that are bound by [PDOStatement::bindParam()](../../connect/php/pdostatement-bindparam.md). Therefore, a SQL query string with no placeholders is sent to the server. Consider this example,
+
+```
+$statement = $PDO->prepare("INSERT into Customers (CustomerName, ContactName) VALUES (:cus_name, :con_name)");
+$statement->bindParam(:cus_name, "Cardinal");
+$statement->bindParam(:con_name, "Tom B. Erichsen");
+$statement->execute();
+```
+
+With emulate prepare set to false (the default case), the data sent to the database is:
+
+```
+"INSERT into Customers (CustomerName, ContactName) VALUES (:cus_name, :con_name)"
+Information on :cus_name parameter
+Information on :con_name parameter
+```
+
+The server will execute the query using its parameterized query feature for binding parameters. On the other hand, with emulate prepare set to true, the data sent to the server is essentially this:
+
+```
+"INSERT into Customers (CustomerName, ContactName) VALUES ('Cardinal', 'Tom B. Erichsen')"
+```
+
+### Encoding
+
+If user wishes to bind parameters with different encodings (for instance, UTF-8 or binary), user should clearly specify the encoding in the PHP script.
+
+The PDO_SQLSRV driver first checks the encoding specified in `PDO::bindParam()` (e.g., `$statement->bindParam(:cus_name, "Cardinal", PDO::PARAM_STR, 10, PDO::SQLSRV_ENCODING_UTF8)`). 
+
+If not found, the driver checks if any encoding is set in `PDO::prepare()` or `PDOStatement::setAttribute()`. Otherwise, the driver will use the encoding specified in `PDO::__construct()` or `PDO::setAttribute()`.
+
+### Limitations
+
+As you can see, binding is done internally by the driver. A valid query is sent to the server for execution without any parameter. Compared to the regular case, some limitations result when the parameterized query feature is not in use.
+
+1. It does not work for parameters that are bound as `PDO::PARAM_INPUT_OUTPUT`.
+    - When the user specifies `PDO::PARAM_INPUT_OUTPUT` in `PDO::bindParam()`, a PDO exception is thrown.
+2. It does not work for parameters that are bound as output parameters.
+    - When the user creates a prepared statement with placeholders that are meant for output parameters (i.e., having an equal sign immediately after a placeholder (e.g., `SELECT ? = COUNT(*) FROM Table1`)), a PDO exception is thrown.
+    - When the user creates a prepared statement that calls a procedure and with a placeholder as argument for an output parameter, no exception is thrown since the driver cannot detect the output parameter. However, the variable that the user provides for the output parameter will not be changed as expected in a non-emulate-prepared statement.
+3. Duplicated placeholders for a binary encoded parameter will not work
+
 ## See Also  
 [PDO Class](../../connect/php/pdo-class.md)
 
