将 OCI sysdate() 绑定到 PDO 参数? [英] Bind OCI sysdate() to PDO parameter?

问题描述

我想在我的 PDO 准备查询中绑定 sysdate 函数:

I want to bind sysdate function in my PDO prepared query :

$db = new PDO('oci:dbname=database;charset=UTF8', 'user', 'pass');
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

$query = $db->prepare('SELECT :func FROM DUAL');
$query->execute(array(':func' => 'SYSDATE()'));
var_dump($query->fetch());

结果返回:

array (size=2)
  ':FUNC' => string 'SYSDATE()' (length=9)
  0 => string 'SYSDATE()' (length=9)

我想获取我的 oracle 数据库的系统日期.可能吗?

I want to get the system date of my oracle database. Is it possible ?

你能帮我把戏吗?

推荐答案

绑定参数是一种注入数据(例如数字或字符串文字)并确保它们不会成为代码的工具.但是，您要求的恰恰相反:您希望数据成为代码.所以恐怕你根本无法使用这种技术.

Bind parameters are a tool to inject data (such as numbers or string literals) and make sure they don't become code. However, you are asking for the exact opposite: you want data to become code. So I'm afraid you simply cannot use that technique.

您必须使用旧的 PHP 字符串操作函数动态地编写 SQL，例如:

You'll have to compose SQL dynamically using good old PHP string manipulation functions, e.g.:

$sql = sprintf('SELECT %s AS "result" FROM DUAL', 'SYSDATE');

不用说，出于明显的安全原因，您绝不应该允许自由输入.如果要切换功能，最好遵循白名单方法，例如:

Needless to say, you should never allow free input for obvious security reasons. If you want to switch functions you'd better follow a white list approach, e.g.:

switch (filter_input(INPUT_POST, 'option')) {
    case 'time':
        $function = 'SYSDATE';
        break;
    // ... more case statements
    default:
        $function = null;
}
if (!is_null($function)) {
    $sql = sprintf('SELECT %s AS result FROM DUAL', $function);
    // ...
}

这篇关于将 OCI sysdate() 绑定到 PDO 参数?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！