What's wrong with this line in PHP?

Question

Code

$stid = oci_parse($conn, "SELECT c1 FROM t1 WHERE c2 = " . $_POST['username'] . " AND c3 = " . $_POST['password'] . "");

Problem

I get ORA-00904 and ORA-24374:

ORA-00904: string: invalid identifier
ORA-24374: define not done before fetch or execute and fetch

Replacing $_POST in the code with the fixed string that $_POST returns stops the error. It must be the $_POST or the way that I'm including it in the code.

For example, $_POST['username'] is Doe, using $_POST['username'] doesn't work but using Doe does.

Answer 1

try to make quote query vars. looks like you are passing strings to db

$stid = oci_parse($conn, "SELECT c1 FROM t1 WHERE c2 = '" . $_POST['username'] . "' AND c3 = '" . $_POST['password'] . "'");

Also escape your post data to prevent sql injection.

Answer 2

The main problem with your line of code is that it's an open door for SQL injection; a call to get your server hacked. Right in the manual page for the oci_parse() function you're already using you have a example on how to pass parameters to queries:

$stid = oci_parse($conn, 'begin myproc(:p1, :p2); end;');
oci_bind_by_name($stid, ':p1', $p1);
oci_bind_by_name($stid, ':p2', $p2, 40);

oci_execute($stid);

Your code could look like this:

$stid = oci_parse($conn, "SELECT c1 FROM t1 WHERE c2 = :username AND c3 = :password");
oci_bind_by_name($stid, 'username', filter_input(INPUT_POST, 'username');
oci_bind_by_name($stid, 'password', filter_input(INPUT_POST, 'password');
oci_execute($stid);

... though it's still be a good idea to do error checking on the return values. All three functions above return FALSE on error and you have oci_error() to fetch an array with last error message.