0

Currently i am executing the code like this to access data from oracle db

$fetchVals ="select  name, address from address_table where id_no=:number";
$parseStmt = oci_parse($conn, $fetchVals);

oci_bind_by_name($parseStmt, ':number', $numVal);
oci_execute($parseStmt);

My first question is, Can I use the code below to achieve the same result?

$fetchVals ="select  name, address from address_table where id_no='$numVal'";
$parseStmt = oci_parse($conn, $fetchVals);

//oci_bind_by_name($parseStmt, ':number', $numVal);
oci_execute($parseStmt);

I checked it, and I am getting the correct result.

My second question is, does this code pose any other problems? If so, please explain.

Thanks

Jake
  • 3,142
  • 4
  • 30
  • 48
Mukund
  • 1,107
  • 2
  • 18
  • 40
  • 3
    In your second example [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. From the docs, *"Binds a PHP variable variable to the Oracle bind variable placeholder bv_name. Binding is important for Oracle database performance and also as a way to avoid SQL Injection security issues."* You're not binding your variable in the second example. – Jay Blanchard Jul 08 '16 at 13:07
  • So will this problem exist in mysql-php? in almost all tutorials its given like my second example – Mukund Jul 08 '16 at 13:11
  • 1
    Yes, you must perform the binding to avoid any issues. – Jay Blanchard Jul 08 '16 at 13:12
  • @JayBlanchard Thank You – Mukund Jul 08 '16 at 13:16
  • 1
    @Mukund, Sadly, you are correct about most tutorials. Which is why PHP is considered 'less than secure' as regards SQL queries. Those tutorials are at least 10 years out of date. PHP with mysql has had prepared queries for a long time (well over a decade). Similarly with Oracle etc. (see PDO). imo, *Never* use a PHP variable directly in an SQL query string and you will be 'safe'. – Ryan Vincent Jul 08 '16 at 15:30

0 Answers0