使用php搜索oracle数据库

时间:2013-10-11 16:16:11

标签: php oracle

这是4个字段,一个是oprid,oprname,empid,另一个字段是电子邮件。我想通过oprid,oprname,empid或email进行搜索,但它不起作用,

  

警告:oci_fetch_array():ORA-24374:在获取或执行之前定义未完成并获取

  <?php
   {
   include ('connection.php');
   if(isset($_REQUEST['submit'])){

  $optid = $_POST['OPRID'];
  $optdec = $_POST['OPRDEFNDESC'];
  $empid = $_POST['EMPLID'];
  $empmail = $_POST['EMAILID'];
   $query ="SELECT  * FROM OPERATOR WHERE OPRID LIKE '%".$optid."%'  
        or OPRDEFNDESC LIKE '%".$optdec."%' or EMPLID LIKE '%".$empid."%'
        or EMAILID LIKE '%".$empmail."%' "; 

        }
   else{
$query="SELECT * FROM OPERATOR";
$objParse = oci_parse ($ora_conn, $query);
   }
   ?>

<form action="multi.php" method="get" action="<?=$_SERVER['SCRIPT_NAME'];?>">
 <table width="500" border="0" align="center">  
<tr>  
 <th>Operator ID
   <input name="OPRID" type="text" id="OPRID" value="";>  
  <tr>  
 <th>Operator Name
 <input name="OPRDEFNDESC" type="text" id="OPRDEFNDESC" value="";>  
 <tr>  
  <th>Person ID
  <input name="EMPLID" type="text" id="EMPLID" value="";>  
   <tr>  
  <th>Email ID
   <input name="EMAILID" type="text" id="EMAILID" value="";>  
  <input type="submit" value="Search"></th>  
   </tr>  
   </table>  
  </form> 
  <table>
   <tr>
    <td>Operator ID</td>
    <td>Operator Name</td>
    <td>Person ID</td>
     <td>Email ID</td>
  </tr>
 <?  

 while($objResult = oci_fetch_array($objParse, OCI_RETURN_NULLS+OCI_ASSOC)) 
 {  
?>  
<tr>  
<td><div align="center"><?=$objResult["OPRID"];?></div></td>  
 <td><?=$objResult["OPRDEFNDESC"];?></td>  
  <td><?=$objResult["EMPLID"];?></td>  
 <td><div align="center"><?=$objResult["EMAILID"];?></div></td> 
 <td align="center"><a  href="Optr_Edit.php?OprID=<?=$objResult["OPRID"];?>">Edit</a>              

</td> 
 </tr>  
 <?  
  }  
 ?>  
 </table>  
   <?  
oci_free_statement($objParse);
 oci_close($ora_conn); 
 }
 ?>  
 </body>  
 </html>

1 个答案:

答案 0 :(得分:1)

必须先执行查询,然后才能尝试获取行。 oci_parse()不执行给定的查询。

在获取之前添加执行调用:

$success = oci_execute($objParse);

此外,在if的第一个区块中,您不会致电oci_parse()。它仅在else中调用。更改为所有条件的致电oci_parse()

您的查询容易受到SQL注入攻击,因为您将原始POST数据连接到其中。要防止SQL注入,请使用绑定参数:

$optid = '%' . $_POST['OPRID'] . '%';
$optdec = '%' . $_POST['OPRDEFNDESC']. '%';
$empid = '%' . $_POST['EMPLID']. '%';
$empmail = '%' . $_POST['EMAILID']. '%';

$query ="SELECT  * FROM OPERATOR WHERE OPRID LIKE :optid  
    or OPRDEFNDESC LIKE '%:optdec%' or EMPLID LIKE :empid
    or EMAILID LIKE :empemail "; 

$objParse = oci_parse ($ora_conn, $query);

oci_bind_by_name($objParse, ':optid', $optid);
oci_bind_by_name($objParse, ':optdec', $optdec);
oci_bind_by_name($objParse, ':empid', $empid);
oci_bind_by_name($objParse, ':empemail', $empemail);

$success = oci_execute($objParse);
相关问题
最新问题