堆栈内存溢出
  简体   繁体   English

如何在 PHP oci8 中使用准备好的语句和绑定参数

[英]How to use prepared statements and bound parameters in PHP oci8

 原文  2019-02-03 06:40:06       php/ sql/ database/ oci8

问题描述

So using prepared statements and bound parameters is the suggested way for writing sql statements.因此,使用准备好的语句和绑定参数是编写 sql 语句的建议方式。 Oci8 manual does not describe how to do it with prepared statements. Oci8手册没有描述如何使用准备好的语句来做到这一点。

Below is how to return the next row from a query as an object, but it's not the best practice as the query string can contain a where col = $PHPvariable下面是如何将查询中的下一行作为对象返回,但这不是最佳实践,因为查询字符串可以包含where col = $PHPvariable

<?php

    $conn = oci_connect('hr', 'welcome', 'localhost/XE');
    if (!$conn) {
        $e = oci_error();
        trigger_error(htmlentities($e['message'], ENT_QUOTES), E_USER_ERROR);
    }

    $select_sql= oci_parse($conn, 'SELECT id, description FROM mytab');
    oci_execute($select_sql);

    while (($row = oci_fetch_object($select_sql)) != false) {
        // Use upper case attribute names for each standard Oracle column
        echo $row->ID . "<br>\n";
        echo $row->DESCRIPTION . "<br>\n"; 
    }

    oci_free_statement($stid);
    oci_close($conn);

    ?>

2 个解决方案

解决方案1
 2 已采纳  2019-02-03 07:02:10

Yes it's possible to use oci8 parameterized query for your sql statements.是的,可以对您的 sql 语句使用 oci8 参数化查询。

oci_bind_by_name binds a PHP variable to the Oracle bind variable placeholder bv_name. oci_bind_by_name将 PHP 变量绑定到 Oracle 绑定变量占位符 bv_name。 Binding is important for Oracle database performance and also as a way to avoid SQL Injection security issues.绑定对于 Oracle 数据库性能很重要,也是避免 SQL 注入安全问题的一种方式。

Binding reduces SQL Injection concerns because the data associated with a bind variable is never treated as part of the SQL statement.绑定减少了 SQL 注入问题,因为与绑定变量关联的数据永远不会被视为 SQL 语句的一部分。 It does not need quoting or escaping.它不需要引用或转义。

Read more here .在这里阅读更多。

 <?php

    $conn = oci_connect("hr", "hrpwd", "localhost/XE");
    if (!$conn) {
        $m = oci_error();
        trigger_error(htmlentities($m['message']), E_USER_ERROR);
    }

    $sql = 'SELECT last_name FROM employees WHERE department_id = :dpid ';

    $stid = oci_parse($conn, $sql);
    $didbv = 60;

    oci_bind_by_name($stid, ':dpid ', $didbv);
    oci_execute($stid);

    while (($row = oci_fetch_object($stid)) != false) {
        echo $row->last_name ."<br>\n";
    }


    oci_free_statement($stid);
    oci_close($conn);

    ?>

解决方案2
 0  2020-09-01 04:22:36

后除去空间:dpid线14上正确的语法=> oci_bind_by_name($stid, ':dpid', $didbv);

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在php类上使用准备好的语句(命名参数) - How to use prepared statements (named parameters) on a php Class 在php 5.5.0(Solaris 10)中同时启用OCI8和ldap /如何动态添加OCI8 - Enabling both OCI8 and ldap in php 5.5.0 (Solaris 10) / How to add OCI8 dynamically 安装PHP OCI8 Linux Centos 8时使用什么路径 - What path to use when installing PHP OCI8 Linux Centos 8 PHP,PEAR和oci8配置 - PHP, PEAR, and oci8 configuration PHP oci8和其他扩展 - Php oci8 and other extension oci8 + PHP CGI不起作用 - oci8 + php cgi not working 尝试为PHP安装OCI8 - Trying to install OCI8 for PHP 如何将 OCI8 安装到现有的 PHP 中? - How do I install OCI8 to an existing PHP? 如何在PHP中获取Adodb + oci8的插入ID - How to get inserted id for Adodb + oci8 in php php oci8 - 如何设置oracle timestamp返回的格式 - php oci8 - how set oracle timestamp returned format
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM