oracle 使用 oci_parse 和 oci_execute
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/8204903/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Using oci_parse and oci_execute
提问by Daniel Nill
I'm sure this is something very basic but I can't seem to find my error.
我确定这是非常基本的东西,但我似乎找不到我的错误。
I'm trying to execute the following...
我正在尝试执行以下操作...
$c = db_connect();
$email = addslashes($email);
$sql = "SELECT * FROM RUSER WHERE email LIKE '" . $email . "';";
$query = oci_parse($c, $sql) or die(oci_error($c));
$response = oci_execute($query) or die(oci_error($c));
but I get oci8 statement Warning: oci_execute(): ORA-00911: invalid character in /path/to/file.php on line 67where line 67 is where $responseis assigned.
但我得到oci8 statement Warning: oci_execute(): ORA-00911: invalid character in /path/to/file.php on line 67了第 67 行的$response分配位置。
So that means there is something wrong with $queryright? But I can't seem to find what that would be. The raw sql executes fine from the command line. echoing get_resource_type($query)gives a resource id...
所以这意味着有什么不对$query吗?但我似乎无法找到那会是什么。原始 sql 从命令行执行得很好。echoingget_resource_type($query)给出了一个资源 ID...
What am I doing wrong?
我究竟做错了什么?
回答by Sodved
Do NOT include the ;in your SQL. The ;is not part of SQL itself, its used by various SQL clients (e.g. sql*plus) as a delimiter to mark the end of commands to be sent to the server.
不要;在您的 SQL 中包含。的;是不SQL本身的一部分,其由各种SQL客户机使用(例如SQL *加号)作为分隔符来标记命令的结束被发送到服务器。
回答by Rajan
The first error is
第一个错误是
$c = oci_connect("user","password","host/dbname") // db_connect() is not true
second error is there should not be ";" in the statement
第二个错误是不应该有“;” 在声明中
$sql = "SELECT * FROM RUSER WHERE email LIKE '" . $email . "';";
it should be
它应该是
$sql = "SELECT * FROM RUSER WHERE email LIKE '" . $email . "'";
if you want to compare better user "=" than LIKE
如果你想比较更好的用户“=”而不是 LIKE
回答by mickmackusa
Yes, the semicolon is an issue, but not the only one.
是的,分号是一个问题,但不是唯一的问题。
- the query is directly injecting the variable string into the sql -- this is a potential point of vulnerability/insecurity.
- there is no need for the LIKE comparison if you aren't using any wildcard characters (e.g.
%,_) in your value.
- 查询直接将变量字符串注入到 sql 中——这是一个潜在的漏洞/不安全点。
- 如果您的值中没有使用任何通配符(例如
%,_),则不需要 LIKE 比较。
Suggested Code:
建议代码:
$stmt = oci_parse($conn, "SELECT * FROM RUSER WHERE email = :email");
oci_bind_by_name($stmt, ":email", $email);
oci_execute($stmt);
$count = oci_fetch_all($stmt, $resultSet, 0, -1, OCI_FETCHSTATEMENT_BY_ROW);
// hypothetical outputs:
// $count = 1
// $resultSet = [['id => 3, 'email' => '[email protected]', ...]]
