问题
I want to bind sysdate function in my PDO prepared query :
$db = new PDO('oci:dbname=database;charset=UTF8', 'user', 'pass');
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$query = $db->prepare('SELECT :func FROM DUAL');
$query->execute(array(':func' => 'SYSDATE()'));
var_dump($query->fetch());
The result return this :
array (size=2)
':FUNC' => string 'SYSDATE()' (length=9)
0 => string 'SYSDATE()' (length=9)
I want to get the system date of my oracle database. Is it possible ?
Can you help me to make my trick ?
回答1:
Oracle (via the OCI module in PHP) does support both IN and OUT binds. They are provided for running PL/SQL and returning the result. In your case, running a plain SQL SELECT statement, you don't need to do that.
And note that SYSDATE is not a function so you mustn't use parentheses.
Here's a working example using PDO:
$db = new PDO('oci:dbname=database;charset=UTF8', 'user', 'pass');
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$query = $db->prepare('SELECT SYSDATE FROM DUAL');
$query->execute();
var_dump($query->fetch());
回答2:
Bind parameters are a tool to inject data (such as numbers or string literals) and make sure they don't become code. However, you are asking for the exact opposite: you want data to become code. So I'm afraid you simply cannot use that technique.
You'll have to compose SQL dynamically using good old PHP string manipulation functions, e.g.:
$sql = sprintf('SELECT %s AS "result" FROM DUAL', 'SYSDATE');
Needless to say, you should never allow free input for obvious security reasons. If you want to switch functions you'd better follow a white list approach, e.g.:
switch (filter_input(INPUT_POST, 'option')) {
case 'time':
$function = 'SYSDATE';
break;
// ... more case statements
default:
$function = null;
}
if (!is_null($function)) {
$sql = sprintf('SELECT %s AS result FROM DUAL', $function);
// ...
}
来源:https://stackoverflow.com/questions/35993377/bind-oci-sysdate-to-pdo-parameter