ansaurus

Question

Inserting data in oracle database using php.

Answer 1

A:

It's rather hard to say without seeing what the generated SQL looks like, what charset you are posting in and what charset the database is using.

Splicing unfiltered user content into an SQL statement and sending it to the DB is a recipe for disaster. While other DB APIs in PHP have an escape function, IIRC this is not available for Oracle - you should use data binding.

C.

symcbean 2010-01-22 17:37:02

Answer 2

A:

You need single quotes around the varchar fields that you are inserting (which I presume are url_name, anchor_text, and description). The single quote that you currently have just make those values a String but in Oracle, varchar fields need to have single quotes around them. Try this:

$sql1="insert into URL(Url_ID,Url_Name,Anchor_Text,Description) VALUES( 9,'".'{$url_name}'."','".'{$anchor_text}'."','".'{$description}'."')";

I don't have PHP anywhere to test it, but that should create the single quotes around your values.

Because really the sql you will eventually be executing on the database would look like this:

insert into URL
(
 Url_ID,
 Url_Name,
 Anchor_Text,
 Description
) 
VALUES
( 
 9,
 'My Name',
 'My Text',
 'My Description'
)

The main article Binding Variables in Oracle and PHP appears to be down but here is the Google Cache Version that goes into detail about how to bind variables in PHP. You definitely want to be doing this for 1) performance and 2) security from SQL injection.

Also, my PHP is a bit rusty but looks like you could also do your original query statement like this:

$sql1="insert into URL(Url_ID,Url_Name,Anchor_Text,Description) values ( 9, '$url_name', '$anchor_text', '$description')";

Edit
Also, you need to escape any single quotes that may be present in the data you receive from your form variables. In an Oracle sql string you need to convert single quotes to 2 single quotes to escape them. See the section here titled "How can I insert strings containing quotes?"

Dougman 2010-01-22 17:43:48

Thanx a lot it's working.....

2010-01-22 19:02:35

@sayket: Don't forget to mark an answer as accepted and/or vote it up if it solved your problem.

Dougman 2010-01-22 19:53:36

thnkx but now i see that it's actually not working.....it is inserting {$url_name},{$anchor_text},{description} instead of the values assigned to these variables from $_post method....

2010-01-23 03:07:17

@sayket: The one at the bottom should work. Also I added extra info on escaping single quotes in the info from your form.

Dougman 2010-01-23 03:31:09

Answer 3

A:

It's because you have un-quoted quote characters in the query string. Try this instead:

$sql1="insert into URL(Url_ID,Url_Name,Anchor_Text,Description) 
  VALUES( 9,\".'{$url_name}'.\",\".'{$anchor_text}'.\",\".'{$description}'.\")";

wallyk 2010-01-23 03:17:24

Answer 4

+1 A:

You've got a few problems here. First, variables aren't interpolated into strings enclosed in single quotes. Try this simple script to see what I mean:

$a = 'hi';
print 'Value: $a'; // prints 'Value: $a'

vs.

$a = 'hi';
print "Value: $a"; // prints 'Value: hi'

Secondly, you'll need to escape the variables before using them to construct an SQL query. A single "'" character in any of the POST variables will break your query, giving you an invalid syntax error from Oracle.

Lastly, and perhaps most importantly, I hope this is just example code? You're using unfiltered user input to construct an SQL query which leaves you open to SQL injection attacks. Escaping the variables will at least prevent the worst kind of attacks, but you should still do some validation. Never use 'tainted' data to construct queries.

Paul Osman 2010-01-23 03:23:44

Answer 5

+2 A:

Never insert user input directly into SQL. Use oci_bind_by_name() to prepare a secure statement. As a side effect, that will also fix the error you're getting (which is a quoting typo). The code would look like

$url_name = $_POST['textfield'];
$anchor_text = $_POST['textfield2'];
$description = $_POST['textfield3'];

$sql = 'INSERT INTO URL(Url_ID,Url_Name,Anchor_Text,Description) '.
       'VALUES(9, :url, :anchor, :description)';

$compiled = oci_parse($db, $sql);

oci_bind_by_name($compiled, ':url', $url_name);
oci_bind_by_name($compiled, ':anchor', $anchor_text);
oci_bind_by_name($compiled, ':description', $description);

oci_execute($result);

Max Shawabkeh 2010-01-23 03:25:26

Thanx a lot. it's working.

2010-01-23 23:35:03

Answer 6

A:

If you are still in starting developing, I want to suggest to use AdoDB instead of oci_ functions directly.

Your code above can be rewritten using AdoDB like this:

<?php
include_once('config.php');

$url_name=$_POST['textfield'];
$keyword_name=$_POST['textarea'];
$cat_news=$_POST['checkbox'];
$cat_sports=$_POST['checkbox2'];
$anchor_text=$_POST['textfield2'];
$description=$_POST['textarea2'];

//do db connection
$adodb =& ADONewConnection("oci8://ORAUSER:[email protected]/XE");
if ( ! $adodb )
{
  die("Cannot connect to database!");
}
//set mode
$adodb->SetFetchMode(ADODB_FETCH_BOTH);

//data for insert
$tablename = 'URL';
$data['Url_ID'] = 9;
$data['Url_Name'] = $url_name;
$data['Anchor_Text'] = $anchor_text;
$data['Description'] = $description;

$result = $adodb->AutoExecute($tablename, $data, 'INSERT');
if ( ! $result )
{
  die($adodb->ErrorMsg());
  return FALSE;
}
//reaching this line meaning that insert successful

In my code above, you just need to make an associative array, with the column name as key, and then assign the value for the correct column. Data sanitation is handled by AdoDB automatically, so you not have to do it manually for each column.

AdoDB is multi-database library, so you can change the databas enginge with a minimal code change in your application.

Donny Kurnia 2010-01-24 00:06:03

ansaurus

tags:

views:

answers:

Inserting data in oracle database using php.

related questions