我收到错误:
Warning: ociexecute() [function.ociexecute]: ORA-00936: missing expression in /home/sjrem/public_html/ssss.php on line 31
Warning: ocifetch() [function.ocifetch]: ORA-24374: define not done before fetch or execute and fetch in /home/sjrem/public_html/ssss.php on line 49
我想在oracle数据库中搜索VIN号码。我做错了什么?
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Search</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<?php
/* Set oracle user login and password info */
$dbuser = "sjrem"; /* your deakin login */
$dbpass = "shn"; /* your oracle access password */
$db = "SSID";
$connect = OCILogon($dbuser, $dbpass, $db);
if (!$connect) {
echo "An error occurred connecting to the database";
exit;
}
/* build sql statement using form data */
$query = "SELECT * from cars WHERE vin=$VIN";
/* check the sql statement for errors and if errors report them */
$stmt = OCIParse($connect, $query);
//echo "SQL: $query<br>";
if(!$stmt) {
echo "An error occurred in parsing the sql string.\n";
exit;
}
OCIExecute($stmt);?>
<h1 class="green">PHP and Oracle databases</h1>
<h4>Table: <em>Cars</em></h4>
<div align="center">
<table width="850" border="0" bgcolor="#339933" cellpadding="5" cellspacing="1">
<tr bgcolor="#006633">
<td width="75" style="color:#ffff99">Vin Number</td>
<td width="75" style="color:#ffff99">Car</td>
<td width="100" style="color:#ffff99">Colour</td>
<td width="75" style="color:#ffff99">Drivetrain</td>
<td width="75" style="color:#ffff99">Location</td>
</tr>
<?php
while(OCIFetch($stmt)) {
// Start a row for each record
echo("<tr valign=top bgcolor=#ccffcc>");
$fg1 = OCIResult($stmt,"VIN");
echo("<td width=75>");
echo ($fg1);
echo("</td>");
$fg2 = OCIResult($stmt,"CAR");
echo("<td width=75>");
echo ($fg2);
echo("</td>");
$fg3 = OCIResult($stmt,"COLOUR");
echo("<td width=75>");
echo ($fg3);
echo("</td>");
$fg4 = OCIResult($stmt,"DRIVETRAIN");
echo("<td width=75>");
echo ($fg4);
echo("</td>");
$fg5 = OCIResult($stmt,"LOCATION");
echo("<td width=75>");
echo ($fg5);
echo("</td>");
// End the row
echo("</tr>");
}
// Close the connection
OCILogOff ($connect);
?>
</table>
</div>
</body>
</html>
答案 0 :(得分:2)
如果$ vin为空或未设置,则查询将变为无效。如果$ vin包含带有非数字字符的字符串,则查询很可能也是无效的。
您可以在值周围添加引号,但在这种情况下,您还需要转义值本身。任何包含引号的搜索字符串都会使您的查询再次失效,并可能损坏您的数据库!如果我要搜索volvo'; delete from cars; --,您的查询可以正常运行,但也会删除表中的所有值。这称为 sql injection 。
解决此问题的最佳方法是使用绑定参数进行查询,尤其是在Oracle中。关于PHP.net上oci_bind_by_name的主题中有一些例子可以帮助你。
答案 1 :(得分:0)
如果你告诉那些东西在哪些麻烦,那会有所帮助,但是如果你谷歌你得到的错误this page
如果你的查询不好,你似乎得到了这个错误?现在你有了这个:
"SELECT * from cars WHERE vin=$VIN"
例如,我从未看到$VIN填充,因此可能会转换为
SELECT * from cars WHERE vin=
这是无效的SQL。另外,@ jensgram在评论中说:如果它是一个字符串,你应该这样包围它:
SELECT * from cars WHERE vin='$VIN'