How To Use Prepared Statements And Bound Parameters In Php Oci8

So using prepared statements and bound parameters is the suggested way for writing sql statements. Oci8 manual does not describe how to do it with prepared statements. Below is ho

Solution 1:

Yes it's possible to use oci8 parameterized query for your sql statements.

oci_bind_by_name binds a PHP variable to the Oracle bind variable placeholder bv_name. Binding is important for Oracle database performance and also as a way to avoid SQL Injection security issues.

Binding reduces SQL Injection concerns because the data associated with a bind variable is never treated as part of the SQL statement. It does not need quoting or escaping.

Read more here.

<?php$conn = oci_connect("hr", "hrpwd", "localhost/XE");
    if (!$conn) {
        $m = oci_error();
        trigger_error(htmlentities($m['message']), E_USER_ERROR);
    }

    $sql = 'SELECT last_name FROM employees WHERE department_id = :dpid ';

    $stid = oci_parse($conn, $sql);
    $didbv = 60;

    oci_bind_by_name($stid, ':dpid ', $didbv);
    oci_execute($stid);

    while (($row = oci_fetch_object($stid)) != false) {
        echo$row->last_name ."<br>\n";
    }


    oci_free_statement($stid);
    oci_close($conn);

    ?>

Solution 2:

remove space after :dpid on line 14 correct syntax => oci_bind_by_name($stid, ':dpid', $didbv);