Inserting data in oracle database using php_问答_开发者

The following code is generating this

Warning: oci_execute() [function.oci-execute]: 
ORA-00911: invalid character in F:\wamp\www\SEarch Engine\done.php  on line 17

the code is...

<?php
include_once('config.php');
$db = oci_new_connect(ORAUSER,ORAPASS,"localhost/XE");

$url_name=$_POST['textfield'];
$keyword_name=$_POST['textarea'];
$cat_news=$_POST['checkbox'];
$cat_sports=$_POST['checkbox2'开发者_高级运维];
$anchor_text=$_POST['textfield2'];
$description=$_POST['textarea2'];

$sql1="insert into URL(Url_ID,Url_Name,Anchor_Text,Description) 
    VALUES( 9,".'{$url_name}'.",".'{$anchor_text}'.",".'{$description}'.")";



$result=oci_parse($db,$sql1);
oci_execute($result);





?>

Never insert user input directly into SQL. Use oci_bind_by_name() to prepare a secure statement. As a side effect, that will also fix the error you're getting (which is a quoting typo). The code would look like

$url_name = $_POST['textfield'];
$anchor_text = $_POST['textfield2'];
$description = $_POST['textfield3'];

$sql = 'INSERT INTO URL(Url_ID,Url_Name,Anchor_Text,Description) '.
       'VALUES(9, :url, :anchor, :description)';

$compiled = oci_parse($db, $sql);

oci_bind_by_name($compiled, ':url', $url_name);
oci_bind_by_name($compiled, ':anchor', $anchor_text);
oci_bind_by_name($compiled, ':description', $description);

oci_execute($compiled);

You've got a few problems here. First, variables aren't interpolated into strings enclosed in single quotes. Try this simple script to see what I mean:

$a = 'hi';
print 'Value: $a'; // prints 'Value: $a'

vs.

$a = 'hi';
print "Value: $a"; // prints 'Value: hi'

Secondly, you'll need to escape the variables before using them to construct an SQL query. A single "'" character in any of the POST variables will break your query, giving you an invalid syntax error from Oracle.

Lastly, and perhaps most importantly, I hope this is just example code? You're using unfiltered user input to construct an SQL query which leaves you open to SQL injection attacks. Escaping the variables will at least prevent the worst kind of attacks, but you should still do some validation. Never use 'tainted' data to construct queries.

It's rather hard to say without seeing what the generated SQL looks like, what charset you are posting in and what charset the database is using.

Splicing unfiltered user content into an SQL statement and sending it to the DB is a recipe for disaster. While other DB APIs in PHP have an escape function, IIRC this is not available for Oracle - you should use data binding.

It's because you have un-quoted quote characters in the query string. Try this instead:

$sql1="insert into URL(Url_ID,Url_Name,Anchor_Text,Description) 
  VALUES( 9,\".'{$url_name}'.\",\".'{$anchor_text}'.\",\".'{$description}'.\")";

You need single quotes around the varchar fields that you are inserting (which I presume are url_name, anchor_text, and description). The single quote that you currently have just make those values a String but in Oracle, varchar fields need to have single quotes around them. Try this:

$sql1="insert into URL(Url_ID,Url_Name,Anchor_Text,Description) VALUES( 9,'".'{$url_name}'."','".'{$anchor_text}'."','".'{$description}'."')";

I don't have PHP anywhere to test it, but that should create the single quotes around your values.

Because really the sql you will eventually be executing on the database would look like this:

insert into URL
(
 Url_ID,
 Url_Name,
 Anchor_Text,
 Description
) 
VALUES
( 
 9,
 'My Name',
 'My Text',
 'My Description'
)

The main article Binding Variables in Oracle and PHP appears to be down but here is the Google Cache Version that goes into detail about how to bind variables in PHP. You definitely want to be doing this for 1) performance and 2) security from SQL injection.

Also, my PHP is a bit rusty but looks like you could also do your original query statement like this:

$sql1="insert into URL(Url_ID,Url_Name,Anchor_Text,Description) values ( 9, '$url_name', '$anchor_text', '$description')";

Edit
Also, you need to escape any single quotes that may be present in the data you receive from your form variables. In an Oracle sql string you need to convert single quotes to 2 single quotes to escape them. See the section here titled "How can I insert strings containing quotes?"

If you are still in starting developing, I want to suggest to use AdoDB instead of oci_ functions directly.

Your code above can be rewritten using AdoDB like this:

<?php
include_once('config.php');

$url_name=$_POST['textfield'];
$keyword_name=$_POST['textarea'];
$cat_news=$_POST['checkbox'];
$cat_sports=$_POST['checkbox2'];
$anchor_text=$_POST['textfield2'];
$description=$_POST['textarea2'];

//do db connection
$adodb =& ADONewConnection("oci8://ORAUSER:ORAPASS@127.0.0.1/XE");
if ( ! $adodb )
{
  die("Cannot connect to database!");
}
//set mode
$adodb->SetFetchMode(ADODB_FETCH_BOTH);

//data for insert
$tablename = 'URL';
$data['Url_ID'] = 9;
$data['Url_Name'] = $url_name;
$data['Anchor_Text'] = $anchor_text;
$data['Description'] = $description;

$result = $adodb->AutoExecute($tablename, $data, 'INSERT');
if ( ! $result )
{
  die($adodb->ErrorMsg());
  return FALSE;
}
//reaching this line meaning that insert successful

In my code above, you just need to make an associative array, with the column name as key, and then assign the value for the correct column. Data sanitation is handled by AdoDB automatically, so you not have to do it manually for each column.

AdoDB is multi-database library, so you can change the databas enginge with a minimal code change in your application.