How to Bind Parameters in an Oracle SQL Statement With the oci_Free_Statement() PHP Function
Most Web applications utilize databases in one form or another. Whether your site contains forums, has an e-commerce component or just gathers feedback from visitors, you're likely to incorporate a database into it. But even though databases are great and necessary for most Web sites, they can also impact performance and security in a negative way. To avoid these problems, you should always use bound variables in your Oracle-driven queries — or rather, parse the query and bind the results to PHP variables.
In this article, you'll learn how to bind parameters in an Oracle SQL statement by using the oci_free_statement() function (oci_parse() in PHP 4). This technique is essential for optimizing your applications for both speed and security.
This HowTo assumes you already have an established table and can connect to it from your Oracle client. You'll also need to be familiar with basic SQL syntax.
The oci_free_statement() frees all resources associated with an Oracle cursor or statement. This function can only be called from within a prepared statement.
If you are not using a prepared statement, the SQL statements will be parsed by Oracle, which can cause resources to be consumed and introduce a lot of wait events. This will be more noticeable as your application grows, as the number of statements executed will increase. You can improve performance by using a prepared statement or oci_bind_by_name(), but you must still size your OUT mode variables correctly. You should also use oci_commit() and oci_rollback() to manage your transactions in an appropriate manner.