user3973427 user3973427 - 7 months ago 20
PHP Question

Oracle bind all $_POST's

I am using

oci_bind_by_name()
.

oci_bind_by_name($stid, ":post1", $_POST['post1']);
oci_bind_by_name($stid, ":post2", $_POST['post2']);
oci_bind_by_name($stid, ":post3", $_POST['post3']);
oci_bind_by_name($stid, ":post4", $_POST['post4']);
...


Is it possible to do this dynamically in PHP, for all
$_POST
keys call
oci_bind_by_name()
of the same name?

Just to simplify my code, as I have 50 or so calls to
oci_bind_by_name()
.

Answer

It can be simply done with a foreach loop over the $_POST array, using the key as the parameter name:

// Bind all in a loop:
foreach ($_POST as $key => $value) {
  oci_bind_by_name($stid, ":$key", $value);
}

However, you cannot guarantee that the client has sent you the keys in POST that you actually want. It is important then to check them against an array of keys that are actually valid for use in the prepared statement:

$valid_keys = array(
  'post1',
  'post2',
  ...
  ...
  'post99'
);

Then loop over those instead, checking that they were actually sent in the POST before attempting to use them.

foreach ($valid_keys as $key) {
  if (!isset($_POST[$key])) {
     // ERROR! Needed key was not present in $_POST!
     // Break the loop if you can't execute the statement...
  }
  else {
    oci_bind_by_name($stid, ":$key", $_POST[$key]);  
  }
} 

If you are intending to build the prepared statement's SQL string dynamically, it is especially important to maintain a list of safe parameter names.