1

Inserting data in oracle DB using oci_8. Sample query to insert string with special characters or quotes

 update TABLENAME set COMMENTS = 'As per Mark's email dated 28-Feb-2015 - Bill Gates & Team's effort' where ID = 99;

To insert/update

$query = 'update TABLENAME set COMMENTS = '$_POST[comments]';

$result = customexecute($new_query);

public function customexecute($query)
{

    $resutlt = parent::customquery($query);
    return $resutlt;
}


public static function customquery($query)
{

  try{

        $stmt = oci_parse($conn, $query);
        oci_execute($stmt,OCI_COMMIT_ON_SUCCESS);
        oci_commit(db_singleton::getInstance());
        oci_free_statement($stmt);
        }catch (Exception  $e)
        {
            print_r($e);
        }

    }

Executing it on ORACLE DB it says SQl command not properly ended. Looked into Parameterized queries mentioned here but not able to integrate it succesfully.

$query = 'UPDATE tablename SET field = :field WHERE id = :id';
$stmt = oci_parse($oracleConnection, $query);
oci_bind_by_name($stmt, ':field', "The field value with 'apostrophes' and so");
oci_bind_by_name($stmt, ':id', '125');
$result = oci_execute($stmt);

I can pass :bind_comments in my query which is in my controller. But $stmt resides in my db_singleton file (general for all DB queries) and can not pass seperately for a individual query.

How can I sanitize user input or do not allow data to be used in creating SQL code

Improve this question
2
  • Can you post a complete snippet please? I'm missing the code that creates the SQL string ($query) and the binding part. Commented Mar 5, 2015 at 7:13
  • @Mureinik check the snippet. Commented Mar 5, 2015 at 8:19

3 Answers 3

Reset to default
1

From the update function, pass everything needed to the execute function:

$result = customExecute(
    'update xxx set comments=:COMMENTS where id=:ID',
    [
        ':COMMENTS' => $_POST['comment'],
        ':ID' => 99
    ]
);

Then in the execute function simply iterate the array to bind all params:

public static function customExecute($sql, array $params = [])
{
    $stmt = oci_parse($conn, $sql);
    foreach ($params as $key => &$value) {
        oci_bind_by_name($stmt, $key, $value);
    }
    $result = oci_execute($stmt);
    ...
}
Improve this answer
Sign up to request clarification or add additional context in comments.

10 Comments

timclutton: $result = oci_execute($stmt);echo $result;. The output is 1
Yes, because the return value from oci_execute is bool. What do you expect $result to contain?
timclutton:COMMENT is a reserved word in Oracle. Changing it to MYCOMMENTS works though. Also if I have only one variable to bind, do I need to loop or just use oci_bind_by_name($stmt,":MYCOMMENTS",$comments); ?
If there are no params in the query (e.g. select * from dual) then passing an empty array will cause the loop not to execute and nothing to bind. Even better would be to make the parameter optional (function customExecute($sql, $params = [])); then you can omit the param from the call.
Upvoted and accepted. And the one i was curious about stackoverflow.com/questions/29002992/…
|
0

No, unsurprisingly, MySQL functions won't work with Oracle DB :)

You need to parameterise things, e.g.:

$query = 'update TABLENAME set COMMENTS = :bind_comments where id = :bind_id';
$stmt = $dbh->prepare($query);
$stmt->bindParam(':bind_comments', $_POST['comments']);
$stmt->bindParam(':bind_id', $_POST['id']);

$stmt->execute();
Improve this answer

3 Comments

I can pass :bind_comments in my query which is in controller. But $stmt resides in my db_singleton file (general for DB queries) and can not pass seperately for a individual query.
You don't need to pass the $stmt from your singleton. The statement is generated every time you prepare a query (the $dbh->prepare($query); line). All you need is to access the $dbh (database handler) from your code. Anyway, this code is using PDO, and the Oracle PDO drives isn't the reccomended way to access an Oracle DB (It's marked as experimental: php.net/manual/en/ref.pdo-oci.php)
Agreed. As others have said, I would use OCI rather than PDO for Oracle. Use an array if you need to pass in multiple bind parameters & their values
0

The correct way of using the OCI8 PHP extensions is:

$query = 'UPDATE tablename SET field = :field WHERE id = :id';
$stmt = oci_parse($oracleConnection, $query);
oci_bind_by_name($stmt, ':field', "The field value with 'apostrophes' and so");
oci_bind_by_name($stmt, ':id', '125');
$result = oci_execute($stmt);

More information: http://php.net/manual/book.oci8.php

Improve this answer

1 Comment

mHouses: The correct way is mentioned in manual but how can I modify according to above code structure ?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.