PHP - Need to echo/print result of Oracle query in web page

Question

I've been searching for a couple of days and tried various forms of oci-fetch and not using it at all. What I'm trying to do is (code follows) get a submitted user ID (that we use in our institution) and obtain first and last name initals, add the last 4 digits of SSN and send as the reset password for the user.

I ran the first part of the sql in sql Developer, and satisfied myself that the desired outcome results.

Where I'm having a problem is taking the result of the sql and using it to update the ldap, then send in a web page. The holdup is obtaining the results of the sql via the php operations. Right now, I'm just trying to echo or print to make sure I'm getting the resultant password, but that's not happening.

Here's the code (adjusted for security):

<?php
$user = STRTOUPPER($_POST['uid']); //get input text
$conn = oci_connect("A_USER", "USER_PWORD>*", "DBSID");

if (!$conn) {
    $e = oci_error();
    trigger_error(htmlentities($e['message'], ENT_QUOTES), E_USER_ERROR);
}

$query = "select UPPER(substr(a.per_lname,1,1)) || LOWER(substr(a.per_fname,1,1)) || a.per_sno from mccuser.Pers_info a where a.per_id = ('" . $user ."')";

$stid = oci_parse($conn, $query);
$success = oci_execute($stid);
//From this point, I've tried different approaches, including not even using oci_fetch.

oci_fetch_array($stid, OCI_RETURN_NULLS+OCI_ASSOC);
$newpw = $success;
echo $newpw;

?>

I'd appreciate any suggestions.

Thanks, dfonteno

You need to assign `oci_fetch_array` to a variable, then you can access the selected values as elements of that array variable. — Barmar, Aug 26 '16 at 16:18
Functionality aside, having a predictable algorithm for your reset passwords seems like a huge security hole. A randomly generated string stored in the database and attached to the user ID would be fairly simple and much more secure. — Mike_OBrien, Aug 26 '16 at 16:35
Thanks Barmar. I'll try that. BTW, I've read a number of PHP-Oracle tutorials, and didn't see that particular piece of information. — dfonteno, Aug 26 '16 at 19:11
To Mike: You are completely correct, of course, but we have to balance that against our users apparent lack of abilities as well as where we are, and what we do. This is a community college in Mississippi, not MIT. The worst that can happen is someone can log into a student account and see their Grades or email someone, using the student's account. — dfonteno, Aug 26 '16 at 19:14
Barmar, tried the suggestion with the code below. Got the response in the web page of "Array" (without quotes). PHP log said "Array to string conversion in yadda.php on line 18". — dfonteno, Aug 26 '16 at 19:20
Replaced code - just the last part: $success = oci_execute($stid); $newpw = oci_fetch_array($stid, OCI_RETURN_NULLS+OCI_ASSOC);echo $newpw; — dfonteno, Aug 26 '16 at 19:21

score 0 · Accepted Answer · edited May 23 '17 at 12:22

0

The PHP documentation for the OCI extension is excellent and there are plenty of examples showing how to do what you want.

Your code is vulnerable to SQL Injection attack, so I've modified it to use binding.

<?php

$user = STRTOUPPER($_POST['uid']); //get input text
$conn = oci_connect('A_USER', 'USER_PWORD>*', 'DBSID', 'UTF8'); // explicitly use UTF-8

if (!$conn) {
    $e = oci_error();
    trigger_error(htmlentities($e['message'], ENT_QUOTES), E_USER_ERROR);
}

// field is aliased as 'PWD' since you want an associative array as result.
$query = 'select UPPER(substr(a.per_lname,1,1)) || LOWER(substr(a.per_fname,1,1)) || a.per_sno as pwd from mccuser.Pers_info a where a.per_id = (:usr)';
$stid = oci_parse($conn, $query);
// bind the user variable.
oci_bind_by_name($stid, ':usr', $user);
oci_execute($stid);
$result = oci_fetch_assoc($stid);
$newpw = $result['PWD']; // note the key is always uppercase by default.
echo $newpw;

That should do what you want. I do however agree with Mike_OBrien that this is a bad way to go. You replied:

The worst that can happen is someone can log into a student account and see their Grades or email someone, using the student's account.

I consider that incredibly bad. What if that account is used to email a bomb threat, or pornography? An innocent person could face criminal charges because of your lazy approach to application security.

edited May 23 '17 at 12:22

Community

1
1

answered Aug 30 '16 at 11:20

timclutton

12,682
3
33
43

Tim, I am getting errors in the php log after testing as follows: "PHP Warning: oci_bind_by_name(): ORA-01036: illegal variable name/number", "PHP Warning: oci_execute(): ORA-01745: invalid host/bind variable name", "PHP Warning: oci_fetch_assoc(): ORA-24374: define not done before fetch or execute and fetch" . The lines refer to the "oci_bind_by_name", "oci_execute", and " $result = oci_fetch_assoc" statements. Any suggestions? – dfonteno Aug 30 '16 at 20:03
Presumably you've changed the bind variable from `:usr` to an [Oracle reserved word](http://docs.oracle.com/cd/E11882_01/server.112/e41084/ap_keywd001.htm#SQLRF55621) (`:user` perhaps?). – timclutton Aug 30 '16 at 20:17
That was it. I had inadvertently added the 'e' in the query statement, itself. Now I'm getting "Undefined index: PWD..." for the $newpw assignment statement. – dfonteno Aug 30 '16 at 20:56
I added an alias for the field to make it easily accessible in the returned associative array. Have you added the `... as pwd ...` directly before the `from` to your query? – timclutton Aug 30 '16 at 21:01
Once again, I screwed up, thinking I had copied the statement from your posting, but I hadn't so the needed "as pwd" wasn't there. That does work as desired, so I can move forward from here as there is more to do with this. Thanks to you, that's done. I am also going to point out your and Brian's comments to my supervisor, who thought I was being a little too security-conscious. Maybe they'll carry a little more weight, since they come from strangers and not me. I actually had a php-generated random password being created before this, but he wanted this. Thanks to all again. – dfonteno Aug 30 '16 at 21:20
Happy to help. Note that the [etiquette](http://stackoverflow.com/help/someone-answers) is to accept the answer that provides the best solution to your problem. Good luck with your security discussion. – timclutton Aug 31 '16 at 15:35

PHP - Need to echo/print result of Oracle query in web page

1 Answers1