我得到错误:
Warning: ociexecute() [function.ociexecute]: ORA-00936: missing expression in /home/sjrem/public_html/ssss.php on line 31
Warning: ocifetch() [function.ocifetch]: ORA-24374: define not done before fetch or execute and fetch in /home/sjrem/public_html/ssss.php on line 49
我想在oracle的数据库中搜索VIN号。我做错了什么?
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Search</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<?php
/* Set oracle user login and password info */
$dbuser = "sjrem"; /* your deakin login */
$dbpass = "shn"; /* your oracle access password */
$db = "SSID";
$connect = OCILogon($dbuser, $dbpass, $db);
if (!$connect) {
echo "An error occurred connecting to the database";
exit;
}
/* build sql statement using form data */
$query = "SELECT * from cars WHERE vin=$VIN";
/* check the sql statement for errors and if errors report them */
$stmt = OCIParse($connect, $query);
//echo "SQL: $query<br>";
if(!$stmt) {
echo "An error occurred in parsing the sql string.'n";
exit;
}
OCIExecute($stmt);?>
<h1 class="green">PHP and Oracle databases</h1>
<h4>Table: <em>Cars</em></h4>
<div align="center">
<table width="850" border="0" bgcolor="#339933" cellpadding="5" cellspacing="1">
<tr bgcolor="#006633">
<td width="75" style="color:#ffff99">Vin Number</td>
<td width="75" style="color:#ffff99">Car</td>
<td width="100" style="color:#ffff99">Colour</td>
<td width="75" style="color:#ffff99">Drivetrain</td>
<td width="75" style="color:#ffff99">Location</td>
</tr>
<?php
while(OCIFetch($stmt)) {
// Start a row for each record
echo("<tr valign=top bgcolor=#ccffcc>");
$fg1 = OCIResult($stmt,"VIN");
echo("<td width=75>");
echo ($fg1);
echo("</td>");
$fg2 = OCIResult($stmt,"CAR");
echo("<td width=75>");
echo ($fg2);
echo("</td>");
$fg3 = OCIResult($stmt,"COLOUR");
echo("<td width=75>");
echo ($fg3);
echo("</td>");
$fg4 = OCIResult($stmt,"DRIVETRAIN");
echo("<td width=75>");
echo ($fg4);
echo("</td>");
$fg5 = OCIResult($stmt,"LOCATION");
echo("<td width=75>");
echo ($fg5);
echo("</td>");
// End the row
echo("</tr>");
}
// Close the connection
OCILogOff ($connect);
?>
</table>
</div>
</body>
</html>
如果$vin为空或未设置,则查询无效。如果$vin包含一个非数字字符的字符串,查询很可能也是无效的。
您可以在值周围添加引号,但在这种情况下,您还需要转义值本身。任何带有引号的搜索字符串都会使您的查询再次无效,并可能损坏您的数据库!如果我要搜索volvo'; delete from cars; --,您的查询将运行良好,但也会删除表中的所有值。这叫做sql注入。
解决这个问题的最好方法,特别是在Oracle中,是为查询使用绑定参数。在PHP.net上有一些关于oci_bind_by_name的例子,应该会让你了解。
如果你告诉这些行数会有帮助,但如果你谷歌错误你得到这个页面
似乎你得到的错误,如果你的查询是不好的?现在你有了这个:
"SELECT * from cars WHERE vin=$VIN"
例如,我从未看到$VIN被填充,所以这可能会转换为
SELECT * from cars WHERE vin=
是无效的SQL。另外,@jensgram在评论中说:如果它是一个字符串,你应该把它括起来,像这样:
SELECT * from cars WHERE vin='$VIN'