将 OCI sysdate() 绑定到 PDO 参数? [英] Bind OCI sysdate() to PDO parameter?
问题描述
我想在我的 PDO 准备查询中绑定 sysdate 函数:
I want to bind sysdate function in my PDO prepared query :
$db = new PDO('oci:dbname=database;charset=UTF8', 'user', 'pass');
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$query = $db->prepare('SELECT :func FROM DUAL');
$query->execute(array(':func' => 'SYSDATE()'));
var_dump($query->fetch());
结果返回:
array (size=2)
':FUNC' => string 'SYSDATE()' (length=9)
0 => string 'SYSDATE()' (length=9)
我想获取我的 oracle 数据库的系统日期.可能吗?
I want to get the system date of my oracle database. Is it possible ?
你能帮我把戏吗?
推荐答案
绑定参数是一种注入数据(例如数字或字符串文字)并确保它们不会成为代码的工具.但是,您要求的恰恰相反:您希望数据成为代码.所以恐怕你根本无法使用这种技术.
Bind parameters are a tool to inject data (such as numbers or string literals) and make sure they don't become code. However, you are asking for the exact opposite: you want data to become code. So I'm afraid you simply cannot use that technique.
您必须使用旧的 PHP 字符串操作函数动态地编写 SQL,例如:
You'll have to compose SQL dynamically using good old PHP string manipulation functions, e.g.:
$sql = sprintf('SELECT %s AS "result" FROM DUAL', 'SYSDATE');
不用说,出于明显的安全原因,您绝不应该允许自由输入.如果要切换功能,最好遵循白名单方法,例如:
Needless to say, you should never allow free input for obvious security reasons. If you want to switch functions you'd better follow a white list approach, e.g.:
switch (filter_input(INPUT_POST, 'option')) {
case 'time':
$function = 'SYSDATE';
break;
// ... more case statements
default:
$function = null;
}
if (!is_null($function)) {
$sql = sprintf('SELECT %s AS result FROM DUAL', $function);
// ...
}
这篇关于将 OCI sysdate() 绑定到 PDO 参数?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!