如何在此oci_parse语句中插入变量
[英]How do I insert a variable into this oci_parse statement
问题描述
I'm creating PHP code for a web form that sends an automated email after submission, I want to add all the form inputs to an Oracle database. 
我正在为提交自动发送电子邮件的Web表单创建PHP代码,我想将所有表单输入添加到Oracle数据库中。
How do add a variable into my oci_parse statement? 如何在我的oci_parse语句中添加变量? for example, how do I pass my $name var into this statement? 例如,如何将我的$ name var传递给此语句?
I have tried researching the documentation as well as different code. 我尝试研究文档以及其他代码。
<?php
if (!empty($name) || !empty($studentemail) || !empty($programofstudy) || !empty($enrolledinanonlineprogram)) {
// create new cnnection (Table name is "register" for sql database)
$db = oci_new_connect("someuser", "somepassword", "somehost");
if (!$db) {
echo "connection error check your server config";
}
else {
echo "Connection sucessful";
}
$name = $_POST['name'];
$studentemail = $_POST['studentemail'];
$programofstudy = $_POST['programofstudy'];
$enrolledinanonlineprogram = $_POST['enrolledinanonlineprogram'];
$bodytext = $_POST['bodytext'];
$stid = oci_parse($db, 'SELECT * FROM register');
$stid = oci_parse($db, 'INSERT INTO register (column1) VALUES (12345)');
oci_execute($stid);
echo "we inserted 12345";
}
?>
The code works and "12345" is inserted into a table in the database however I want to pass in a variable into the oci_parse statement, not the hardcoded value. 代码可以正常工作,并且将“ 12345”插入数据库的表中,但是我想将一个变量传递给oci_parse语句,而不是硬编码值。
2 个解决方案
解决方案1
0 2019-07-19 21:42:55
$stid = oci_parse($db, 'INSERT INTO register (column1) VALUES ('.$variable.')');
OR 要么
$stid = oci_parse($db, "INSERT INTO register (column1) VALUES ($variable)");
//notice the double quotes
If an array or object 如果是数组或对象
$stid = oci_parse($db, 'INSERT INTO register (column1) VALUES ('.json_encode($variable).')');
解决方案2
0 2019-07-19 22:39:33
Be aware of SQL injection, do not append values "as is" to SQL code. 请注意SQL注入,请勿将值“按原样”附加到SQL代码中。
Just imagine a situation 试想一下情况
$stid = oci_parse($db,
"UPDATE my_password_table SET password = '$user_input_password' WHERE login = '$user_input_login'");
When user put something like ' or 1 = 1 or '' = ' into $user_input_login field, it makes all passwords to be updated. 当用户在$ user_input_login字段中输入' or 1 = 1 or '' = ' ,将更新所有密码。
Do not trust ANY data you get from a user. 不要信任您从用户那里获得的任何数据。 Even if you know the user is not able to type that text in that field. 即使您知道用户无法在该字段中键入该文本。
So, the less wrong way to add value into a query is to replace all single quotes into double 因此,向查询中添加值的错误较少的方法是将所有单引号替换为双引号
$stid = oci_parse($db,
'INSERT INTO register (email) VALUES ('
. str_replace("'", "''", $studentemail) . ' )');
But the right way to do that is use [oci_bind_by_name][1] function 但是正确的方法是使用[oci_bind_by_name][1]函数
First, you declare bind variables by adding : before the name. 首先,通过在名称前添加:声明绑定变量。 Next, you bind the variable to that names 接下来,将变量绑定到该名称
$stid = oci_parse($db, 'INSERT INTO register (email) VALUES (:EMAIL)');
oci_bind_array_by_name($stid, 'EMAIL', $studentemail);
oci_execute($stid);
Note, no quotes required to put string variables. 注意,放置字符串变量不需要引号。
Also, be careful: this function does not assign the value. 另外,请注意:此函数不会分配值。 It sets up a link between the php variable and name in the query. 它在查询中的php变量和名称之间建立了链接。 The value of the variable is taken when oci_execute is performed. 执行oci_execute时将oci_execute变量的值。 That means if you update the variable after it was bound but before query executed, the new value will be applied 这意味着如果在绑定变量之后但在执行查询之前更新变量,则将应用新值
$stid = oci_parse($db, 'INSERT INTO register (email) VALUES (:EMAIL)');
$studentemal = 'ABC';
oci_bind_array_by_name($stid, 'EMAIL', $studentemail);
$studentemal = 'XYZ';
oci_execute($stid); // XYZ value is inserted
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.