Making a SQL query a string using PHP

Question

$isbn = strval($_POST['select_catalog']);
$conn = oci_connect($username, $password, $db);
$stmt = oci_parse($conn, 
   "select title_name, author, pub_name, price, qty_on_hand ".
   "from publisher, title ".
   "where publisher.pub_no = title.pub_no and ".
   "isbn = :bind1");
oci_bind_by_name($stmt, ":bind1", $isbn, 10);
oci_execute($stmt, OCI_DEFAULT);

The above code grabs the ISBN from a drop down select menu when the form is submitted, the stmt is my sql query, and I am using bind variables (but I have also attempted this just directly inserting the ISBN)

The issue that I run into either way is that my $isbn variable sets it as a number, my SQL query is expecting varchar2 so it must have quotes around it. However, I cannot seem to use \ to back out of the PHP to put quotes around the ":bind1". When the query is ran you get an error from the DB saying unexpected number. Is there a way to put quotes around :bind1?

Answer 1

You shouldn't need to quote it

oci_bind_by_name($stmt, ":bind1", (string)$isbn, 10, SQLT_CHR);

try specifying the type and casting the parameter to a string.

Answer 2

Try:

oci_bind_by_name($stmt, ":bind1", strval($isbn), 10);