我正在尝试在msyql查询中使用预准备语句来阻止SQL注入。
我已经更换了这一行:
$this->Query_ID = @mysql_query($Query_String_Clean,$this->Link_ID);
有了这个:
$preparedQuery = $this->Link_ID->prepare($Query_String_Clean);
$this->Query_ID = $preparedQuery->execute();
但它不起作用,给出错误:
Call to a member function execute() on a non-object
我做错了吗?
答案 0 :(得分:0)
这是您使用MySQLi阅读的方式:
看一下这个:
<?php
// Init the database connection
$db = new mysqli("example.com", "user", "password", "database");
// Look for errors or throw an exception
if ($db->connect_errno) {
throw new Exception($db->connect_error, $db->connect_errno);
}
// Init prepared statement
$prep = $db->stmt_init();
// Prepared statement
$prep = $db->prepare("SELECT username, points FROM account_information WHERE username = ? AND username IS NOT NULL AND username != ''");
// See if statement is ok
if (!$prep) {
throw new Exception($db->error);
}
// Put your variables into the query
$prep->bind_param('s', $_SESSION['username']);
// Fire the query!
$prep->execute();
// This is magic, it's awesome.. try it :-))
$prep->bind_result($username, $points);
// Get the results easily
while ($prep->fetch()) {
echo "{$username} has {$points}<br>", PHP_EOL;
}
// This is like in our house, when we leave it, we close the door
$prep->close();
$db->close();