PHP 字符串不喜欢多个变量插入吗?

发布于 2024-08-23 12:06:21 字数 605 浏览 11 评论 0原文

我使用 PHP 5.2 和 Oracle 数据库 11.1。

该代码

$query = oci_parse($conn, "SELECT * FROM COMMENTS WHERE PINID=$pinID and COMMENTID=$commentID");

导致此错误:

警告:oci_execute() [function.oci-execute]:ORA-00904:“COMMENTS”:C:\IODwww\hello.php 中的标识符无效第159行
^

但是运行它可以正常工作:

$query = oci_parse($conn, "SELECT * FROM COMMENTS WHERE PINID=$pinID and COMMENTID=1");

这是我将多个变量注入查询字符串的结果,还是我犯了其他错误?

I'm using PHP 5.2 with Oracle Database 11.1.

The code

$query = oci_parse($conn, "SELECT * FROM COMMENTS WHERE PINID=$pinID and COMMENTID=$commentID");

results in this error:

Warning: oci_execute() [function.oci-execute]: ORA-00904: "COMMENTS": invalid identifier in C:\IODwww\hello.php on line 159
^

But running this works fine:

$query = oci_parse($conn, "SELECT * FROM COMMENTS WHERE PINID=$pinID and COMMENTID=1");

Is this a result of me injecting multiple variables into the query string, or am I making some other mistake?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

無處可尋 2024-08-30 12:06:21

出于性能和 SQL 注入的原因,您应该使用 占位符变量,如下所示:

$query = oci_parse($conn, "SELECT * FROM COMMENTS WHERE PINID = :pinID and COMMENTID = :commentID");
oci_bind_by_name($query, ':pinID', $pinID, -1, SQLT_INT);
oci_bind_by_name($query, ':commentID', $commentID, -1, SQLT_INT);
oci_execute($query);

For both performance and SQL Injection reasons, you should be using placeholder variables, like so:

$query = oci_parse($conn, "SELECT * FROM COMMENTS WHERE PINID = :pinID and COMMENTID = :commentID");
oci_bind_by_name($query, ':pinID', $pinID, -1, SQLT_INT);
oci_bind_by_name($query, ':commentID', $commentID, -1, SQLT_INT);
oci_execute($query);
烈酒灼喉 2024-08-30 12:06:21

oci_execute() 的警告不是 PHP 警告。结果查询有问题。

将其打印出来并查看一下。

oci_execute()'s warning is not a PHP warning. There is something wrong with the resulting query.

Print it out and take a look at it.

无声情话 2024-08-30 12:06:21

PHP 字符串中的多个变量没有问题。

要调试问题,您可以尝试:

var_dump("SELECT * FROM COMMENTS WHERE PINID=$pinID and COMMENTID=$commentID");

并查看输出是否真正匹配:

string(...) "SELECT * FROM COMMENTS WHERE PINID=1 and COMMENTID=1" 

我唯一能想到的是 commentID 为空或包含“\n”或附加的导致错误的内容。

如果与 =1 一起使用,数据库发出的错误代码“输入的列名丢失或无效。”对我来说没有多大意义。

There is no problem with multiple variables in a PHP string.

To debug the problem, you can try:

var_dump("SELECT * FROM COMMENTS WHERE PINID=$pinID and COMMENTID=$commentID");

and see if the output really matches:

string(...) "SELECT * FROM COMMENTS WHERE PINID=1 and COMMENTID=1" 

The only things I can think of is that commentID is empty or contains a "\n" or something attached to it that causes the error.

The errorcode the database puts out, "The column name entered is either missing or invalid.", doesn't make much sense to me if works with =1.

牵你的手,一向走下去 2024-08-30 12:06:21

尝试将变量放在括号内:

$query = oci_parse($conn, "SELECT * FROM COMMENTS WHERE PINID={$pinID} and COMMENTID={$commentID}");

还要确保 $commentID 不会返回空白值,否则会在末尾留下 COMMENTID= 并在尝试时导致错误运行查询。

Try to put the variables within brackets:

$query = oci_parse($conn, "SELECT * FROM COMMENTS WHERE PINID={$pinID} and COMMENTID={$commentID}");

Also make sure that $commentID is not returning a blank value which would leave just COMMENTID= at the end and would cause an error when trying to run the query.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文