使用php在Oracle数据库中插入数据 [英] Inserting data in oracle database using php

问题描述

以下代码正在生成

Warning: oci_execute() [function.oci-execute]: 
ORA-00911: invalid character in F:\wamp\www\SEarch Engine\done.php  on line 17

代码是...

<?php
include_once('config.php');
$db = oci_new_connect(ORAUSER,ORAPASS,"localhost/XE");

$url_name=$_POST['textfield'];
$keyword_name=$_POST['textarea'];
$cat_news=$_POST['checkbox'];
$cat_sports=$_POST['checkbox2'];
$anchor_text=$_POST['textfield2'];
$description=$_POST['textarea2'];

$sql1="insert into URL(Url_ID,Url_Name,Anchor_Text,Description) 
    VALUES( 9,".'{$url_name}'.",".'{$anchor_text}'.",".'{$description}'.")";



$result=oci_parse($db,$sql1);
oci_execute($result);





?>

推荐答案

切勿将用户输入直接插入SQL.使用 oci_bind_by_name()来准备安全的声明.副作用是，这也可以解决您遇到的错误(这是引号错误).代码看起来像

Never insert user input directly into SQL. Use oci_bind_by_name() to prepare a secure statement. As a side effect, that will also fix the error you're getting (which is a quoting typo). The code would look like

$url_name = $_POST['textfield'];
$anchor_text = $_POST['textfield2'];
$description = $_POST['textfield3'];

$sql = 'INSERT INTO URL(Url_ID,Url_Name,Anchor_Text,Description) '.
       'VALUES(9, :url, :anchor, :description)';

$compiled = oci_parse($db, $sql);

oci_bind_by_name($compiled, ':url', $url_name);
oci_bind_by_name($compiled, ':anchor', $anchor_text);
oci_bind_by_name($compiled, ':description', $description);

oci_execute($compiled);

这篇关于使用php在Oracle数据库中插入数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！