Inserting data in oracle database using php

Question

The following code is generating this

Warning: oci_execute() [function.oci-execute]: 
ORA-00911: invalid character in F:\wamp\www\SEarch Engine\done.php  on line 17

the code is...

<?php
include_once('config.php');
$db = oci_new_connect(ORAUSER,ORAPASS,"localhost/XE");

$url_name=$_POST['textfield'];
$keyword_name=$_POST['textarea'];
$cat_news=$_POST['checkbox'];
$cat_sports=$_POST['checkbox2'];
$anchor_text=$_POST['textfield2'];
$description=$_POST['textarea2'];

$sql1="insert into URL(Url_ID,Url_Name,Anchor_Text,Description) 
    VALUES( 9,".'{$url_name}'.",".'{$anchor_text}'.",".'{$description}'.")";



$result=oci_parse($db,$sql1);
oci_execute($result);





?>

Answer 1

Never insert user input directly into SQL. Use oci_bind_by_name() to prepare a secure statement. As a side effect, that will also fix the error you're getting (which is a quoting typo). The code would look like

$url_name = $_POST['textfield'];
$anchor_text = $_POST['textfield2'];
$description = $_POST['textfield3'];

$sql = 'INSERT INTO URL(Url_ID,Url_Name,Anchor_Text,Description) '.
       'VALUES(9, :url, :anchor, :description)';

$compiled = oci_parse($db, $sql);

oci_bind_by_name($compiled, ':url', $url_name);
oci_bind_by_name($compiled, ':anchor', $anchor_text);
oci_bind_by_name($compiled, ':description', $description);

oci_execute($compiled);