Don't PHP strings like multiple variable insertions?

Question

I'm using PHP 5.2 with Oracle Database 11.1.

The code

$query = oci_parse($conn, "SELECT * FROM COMMENTS WHERE PINID=$pinID and COMMENTID=$commentID");

results in this error:

Warning: oci_execute() [function.oci-execute]: ORA-00904: "COMMENTS": invalid identifier in C:\IODwww\hello.php on line 159
^

But running this works fine:

$query = oci_parse($conn, "SELECT * FROM COMMENTS WHERE PINID=$pinID and COMMENTID=1");

Is this a result of me injecting multiple variables into the query string, or am I making some other mistake?

Answer 1

There is no problem with multiple variables in a PHP string.

To debug the problem, you can try:

var_dump("SELECT * FROM COMMENTS WHERE PINID=$pinID and COMMENTID=$commentID");

and see if the output really matches:

string(...) "SELECT * FROM COMMENTS WHERE PINID=1 and COMMENTID=1" 

The only things I can think of is that commentID is empty or contains a "\n" or something attached to it that causes the error.

The errorcode the database puts out, "The column name entered is either missing or invalid.", doesn't make much sense to me if works with =1.

Answer 2

For both performance and SQL Injection reasons, you should be using placeholder variables, like so:

$query = oci_parse($conn, "SELECT * FROM COMMENTS WHERE PINID = :pinID and COMMENTID = :commentID");
oci_bind_by_name($query, ':pinID', $pinID, -1, SQLT_INT);
oci_bind_by_name($query, ':commentID', $commentID, -1, SQLT_INT);
oci_execute($query);

Answer 3

oci_execute()'s warning is not a PHP warning. There is something wrong with the resulting query.

Print it out and take a look at it.

Answer 4

Try to put the variables within brackets:

$query = oci_parse($conn, "SELECT * FROM COMMENTS WHERE PINID={$pinID} and COMMENTID={$commentID}");

Also make sure that $commentID is not returning a blank value which would leave just COMMENTID= at the end and would cause an error when trying to run the query.