MySQL预处理语句返回false

时间:2013-09-06 13:25:09

标签: php mysql prepared-statement

我有以下工作 MySQL插入:

$tableSelect = $_POST["tableSelect"];
$companyName = $_POST["companyName"];
$telephone = $_POST["telephone"];
$fax = $_POST["fax"];
$email = $_POST["email"];
$address = $_POST["address"];
$postcode = $_POST["postcode"];
$category = $_POST["category"];
$contact = $_POST["contact"];
$contactTel = $_POST["contactTel"];
$contactEmail = $_POST["contactEmail"];
$sql = "INSERT INTO $tableSelect (companyName,telephone,fax,email,address,postcode,category,contact,contactTel,
    contactEmail) VALUES ('$companyName','$telephone','$fax','$email','$address','$postcode','$category',
    '$contact','$contactTel','$contactEmail');";
if (!mysqli_query($con,$sql)) {
    die('Error: ' . mysqli_error($con));
}

然而,我试图将其改为准备好的声明以保护自己免受注射,如下所示:

$stmt = $con->prepare("INSERT INTO suppliers (companyName,telephone,fax,email,address,postcode,
    category,contact,contactTel,contactEmail) VALUES(:companyName, :telephone, :fax, :email, :address,
    :postcode, :category, :contact, :contactTel, :contactEmail);");
if ($stmt !== FALSE) {
    $stmt->bindParam(':companyName',$companyName);
    $stmt->bindParam(':telephone',$telephone);
    $stmt->bindParam(':fax',$fax);
    $stmt->bindParam(':email',$email);
    $stmt->bindParam(':address',$address);
    $stmt->bindParam(':postcode',$postcode);
    $stmt->bindParam(':category',$category);
    $stmt->bindParam(':contact',$contact);
    $stmt->bindParam(':contactTel',$contactTel);
    $stmt->bindParam(':contactEmail',$contactEmail);
    $companyName = $_POST["companyName"];
    $telephone = $_POST["telephone"];
    $fax = $_POST["fax"];
    $email = $_POST["email"];
    $address = $_POST["address"];
    $postcode = $_POST["postcode"];
    $category = $_POST["category"];
    $contact = $_POST["contact"];
    $contactTel = $_POST["contactTel"];
    $contactEmail = $_POST["contactEmail"];
    $stmt->execute();
}
else {
    echo "Could not connect";
}

每次运行时,$stmt都会返回false。这是我第一次使用预处理语句,而且我对MySQL很新,所以我会非常感谢一些指针。

2 个答案:

答案 0 :(得分:1)

mysqli的语法错误。您已尝试使用PDO。对于mysqli 

$stmt = $con->prepare("INSERT INTO suppliers (companyName,telephone,fax,email,address,postcode,category,contact,contactTel,contactEmail) VALUES(?,?,?,?,?,?,?,?,?,?)");



if($stmt){

        $stmt->bind_param('ssssssssss',$companyName,$telephone,$fax,$email,$address,$postcode,$category,$contact,$contactTel,$contactEmail);
        //s for string, i for integer, d for double, b for blob
        $stmt->execute();
}else{

       echo($con->error); //TO display Error
}

答案 1 :(得分:0)

虽然你的问题肯定是个问题,但这里有一些指示

假设你在第二个例子中使用PDO(出于某种原因你没有在你的问题中指出它)

  1. 你必须告诉PDO抛出异常

    $con->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );

    它会让你至少想出一条错误信息。

  2. 客户端永远不应提供表名
  3. 调整绑定变量以使其适合查询
  4. 而不是那个冗长而多风的代码,只需从$ _POST数组中删除不必要的成员,然后将其传递给执行

    5. 类似这样的事情

    $con->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
$sql = "INSERT INTO suppliers 
 (companyName,telephone,fax,email,address,postcode,
  category,contact,contactTel,contactEmail) 
 VALUES 
 (:companyName, :telephone, :fax, :email, :address,
  :postcode, :category, :contact, :contactTel, :contactEmail)";
$stmt = $con->prepare($sql);
unset ($_POST['submit']);
// make sure you unset all the useless members
$stmt->execute($_POST);
相关问题
最新问题