Error in PHP search function

I am getting errors :

Warning: ociexecute() [function.ociexecute]: ORA-00936: missing expression in     /home/sjrem/public_html/ssss.php on line 31

Warning: ocifetch() [function.ocifetch]: ORA-24374: define not done before fetch or execute and fetch in /home/sjrem/public_html/ssss.php on line 49

I want to search for the VIN number in the database of oracle.. what am i doing wrong?

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Search</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<?php

/* Set oracle user login and password info */
$dbuser = "sjrem"; /* your deakin login */
$dbpass = "shn"; /* your oracle access password */
$db = "SSID";
$connect = OCILogon($dbuser, $dbpass, $db);

if (!$connect) {
echo "An error occurred connecting to the database";
exit;
}

/* build sql statement using form data */
$query = "SELECT * from cars WHERE vin=$VIN";

/* check the sql statement for errors and if errors report them */
$stmt = OCIParse($connect, $query);
//echo "SQL: $query<br>";
if(!$stmt) {
echo "An error occurred in parsing the sql string.\n";
exit;
}
OCIExecute($stmt);?>



<h1 class="green">PHP and Oracle databases</h1>
<h4>Table: <em>Cars</em></h4>
<div align="center">
<table width="850" border="0" bgcolor="#339933" cellpadding="5" cellspacing="1">
<tr bgcolor="#006633">
<td width="75" style="color:#ffff99">Vin Number</td>
<td width="75" style="color:#ffff99">Car</td>
<td width="100" style="color:#ffff99">Colour</td>
<td width="75" style="color:#ffff99">Drivetrain</td>
<td width="75" style="color:#ffff99">Location</td>
</tr>
  <?php


while(OCIFetch($stmt)) {
// Start a row for each record
echo("<tr valign=top bgcolor=#ccffcc>");

$fg1 = OCIResult($stmt,"VIN"); 
echo("<td width=75>");  
echo ($fg1);
echo("</td>");

$fg2 = OCIResult($stmt,"CAR");
echo("<td width=75>");
echo ($fg2);
echo("</td>");

$fg3 = OCIResult($stmt,"COLOUR");
echo("<td width=75>");
echo ($fg3);
echo("</td>");

$fg4 = OCIResult($stmt,"DRIVETRAIN");
echo("<t开发者_运维问答d width=75>");
echo ($fg4);
echo("</td>");

$fg5 = OCIResult($stmt,"LOCATION");
echo("<td width=75>");
echo ($fg5);
echo("</td>");

// End the row
echo("</tr>");
}
// Close the connection
OCILogOff ($connect);
?>

 </table>
</div>


</body>

</html>

If $vin is empty or not set, you query will become invalid. If $vin contains a string with non numeric characters, the query will most likely be invalid too.

You could add quotes around the value, but in that case, you would need to escape the value itself too. Any search string with a quote in it would make your query invalid again, and can possibly damage your database! If I were to search for volvo'; delete from cars; --, your query would run fine, but would also delete all values from your table. This is called sql injection.

The best way to work around this, especially in Oracle, is to use bind parameters for your query. There are some examples in the topic about oci_bind_by_name on PHP.net that should get you going.

It would have helped if you'd told what linenumbers where those, but if you google the error you get this page

It seems you get that error if your query isn't good? now you have this:

"SELECT * from cars WHERE vin=$VIN"

For instance, I never see the $VIN filled, so this might translate to

SELECT * from cars WHERE vin=

which is invalid SQL. Also, what @jensgram says in the comment: if it is a string you should enclose it like so:

    SELECT * from cars WHERE vin='$VIN'