Passing PHP variables to SQL query in oci_parse

Question

I'm passing PHP variables into an Oracle SQL query. But it's not treating it properly and giving me ORA errors like - invalid character. I tried escaping the variable to "$sid" which makes the error go away, but the query returns nothing. Is there a way to pass PHP variables to oracle query

if(isset($_POST['action']))
{
   $sid = $_POST['action'];
   $stid = oci_parse($conn, 'SELECT emp from table emp='$sid'');
   oci_execute($stid);
}

For the sake of brevity, I removed the database connection part.

Answer 1

'SELECT emp from table emp=\'$sid\'' is a string that you pass to Oracle exactly as-is, which is why it doesn't work.

You need to bind the placeholder to a PHP variable using oci_bind_by_name .

Example:

$variable = 42;
$stid = oci_parse($conn, 'SELECT col_name FROM tbl_name WHERE col_name > :num;');
oci_bind_by_name($stid, ":num", $variable);
oci_execute($stid);