在非对象MySQLi上调用成员函数bindParam()

时间:2014-01-29 17:51:37

标签: php mysql sql sql-server mysqli

请原谅,我是SQL新手。我已经构建了一个允许用户输入值的表单。

我正在尝试删除SQL注入的可能性,因此在我的编程中采取了适当的措施。

这是我使用$ POST的代码,容易受到SQL注入:

$dbh=mysqli_connect("localhost","root","","toplist");

// Checking the connection
if (mysqli_connect_errno($dbh))
  {
  echo "Could not connect do SQL database: " . mysqli_connect_error();
  }

$serverip=$_POST['post_serverip'];
$serverport=$_POST['post_serverport'];
$servertitle=$_POST['post_servertitle'];
$serverdesc=$_POST['post_serverdesc'];
$serverwebsite=$_POST['post_serverwebsite'];
$listingtype=$_POST['post_listingtype'];
$query = mysqli_query($con,"INSERT INTO servers (serverip, serverport, servertitle,     serverdesc, serverwebsite, listingtype) VALUES     ('$serverip','$serverport','$servertitle','$serverdesc','$serverwebsite','$listingtype')");

我听说预备语句减少/禁用了SQL注入的风险,因此我使用预准备语句转换了代码:

$dbh=mysqli_connect("localhost","root","","toplist");
global $DBH; 
// Checking the connection
if (mysqli_connect_errno($dbh))
  {
  echo "Could not connect do SQL database: " . mysqli_connect_error();
  }

// Inserting input values into its respected row serverip, serverport, servertitle,     serverdesc, serverwebsite, listingtype
$stmt = $dbh->prepare("INSERT INTO servers (name, value) VALUES (:serverip, :serverip,     :serverport, :serverport, :server desc, :server desc, :serverwebsite, :serverwebsite,     :listing type, :listing type)");
$stmt->bind_param(':post_serverip', $serverip);
$stmt->bind_param(':post_serverport', $serverport);
$stmt->bind_param(':post_servertitle', $servertitle);
$stmt->bind_param(':post_serverdesc', $serverdesc);
$stmt->bind_param(':post_serverwebsite', $serverwebsite);
$stmt->bind_param(':post_listingtype', $listingtype);

但是我收到错误:在非对象上调用成员函数bindParam()..其他一切似乎没问题,因为这是我收到的唯一错误。

我做了一些搜索,我认为错误可能是由于与数据库的连接造成的。 是否有人确定这是由什么造成的?

1 个答案:

答案 0 :(得分:1)

修改

$serverip=$_POST['post_serverip'];
$serverport=$_POST['post_serverport'];
$servertitle=$_POST['post_servertitle'];
$serverdesc=$_POST['post_serverdesc'];
$serverwebsite=$_POST['post_serverwebsite'];
$listingtype=$_POST['post_listingtype'];

$mysql_hostname = 'xxx';
$mysql_username = 'xxx';
$mysql_dbname = 'xxx';
$mysql_password = '';

$dbh= new PDO("mysql:host=$mysql_hostname;dbname=$mysql_dbname", $mysql_username, $mysql_password);

$stmt = $dbh->prepare("INSERT INTO servers (serverip, serverport, servertitle, serverdesc, serverwebsite, listingtype)
            VALUES (:serverip, :serverport, :servertitle, :serverdesc, :serverwebsite, :listingtype)");

$stmt->bindParam(':serverip', $serverip);
$stmt->bindParam(':serverport', $serverport);
$stmt->bindParam(':servertitle', $servertitle);
$stmt->bindParam(':serverdesc', $serverdesc);
$stmt->bindParam(':serverwebsite', $serverwebsite);
$stmt->bindParam(':listingtype', $listingtype);
$stmt->execute();

编号数组方法

$serverip=$_POST['post_serverip'];
$serverport=$_POST['post_serverport'];
$servertitle=$_POST['post_servertitle'];
$serverdesc=$_POST['post_serverdesc'];
$serverwebsite=$_POST['post_serverwebsite'];
$listingtype=$_POST['post_listingtype'];

$mysql_hostname = 'xxx';
$mysql_username = 'xxx';
$mysql_dbname = 'xxx';
$mysql_password = '';

$dbh= new PDO("mysql:host=$mysql_hostname;dbname=$mysql_dbname", $mysql_username, $mysql_password);

$stmt = $dbh->prepare("INSERT INTO servers (serverip, serverport, servertitle, serverdesc, serverwebsite, listingtype)
            VALUES (:serverip, :serverport, :servertitle, :serverdesc, :serverwebsite, :listingtype)");

$stmt->bindParam(1, $serverip);
$stmt->bindParam(2, $serverport);
$stmt->bindParam(3, $servertitle);
$stmt->bindParam(4, $serverdesc);
$stmt->bindParam(5, $serverwebsite);
$stmt->bindParam(6, $listingtype);

$stmt->execute(array(
':serverip' => $serverip, 
':serverport' => $serverport, 
':servertitle' => $servertitle, 
':serverdesc' => $serverdesc, 
':serverwebsite' => $serverwebsite, 
':listingtype' => $listingtype));

通过示例帮助OP的原始答案

尝试这样,并替换column_1value_1等,以匹配您的列和变量。

N.B。:如果您想要分隔单词,请使用下划线而不是连字符。

方法#1 

$mysql_hostname = 'xxx';
$mysql_username = 'xxx';
$mysql_dbname = 'xxx';
$mysql_password = '';

$dbh= new PDO("mysql:host=$mysql_hostname;dbname=$mysql_dbname", $mysql_username, $mysql_password);

$stmt = $dbh->prepare("INSERT INTO servers (column_1, column_2, column_3, column_4, column_5, column_6)
            VALUES (:value_1, :value_2, :value_3, :value_4, :value_5, :value_6)");

$stmt->bindParam(':column_1', $value_1);
$stmt->bindParam(':column_2', $value_2);
$stmt->bindParam(':column_3', $value_3);
$stmt->bindParam(':column_4', $value_4);
$stmt->bindParam(':column_5', $value_5);
$stmt->bindParam(':column_6', $value_6);
$stmt->execute();

“或”此方法:(方法#2)

不要将它们混合在一起。使用其中一种。

注意:保持$stmt->bindParam(1, $serverip);等保持1,2,3,4,5,6,然后将$value_x替换为$serverip等。

$mysql_hostname = 'xxx';
$mysql_username = 'xxx';
$mysql_dbname = 'xxx';
$mysql_password = '';

$dbh= new PDO("mysql:host=$mysql_hostname;dbname=$mysql_dbname", $mysql_username, $mysql_password);


$stmt = $dbh->prepare("INSERT INTO servers (column_1, column_2, column_3, column_4, column_5, column_6)
            VALUES (:value_1, :value_2, :value_3, :value_4, :value_5, :value_6)");

$stmt->bindParam(1, $value_1);
$stmt->bindParam(2, $value_2);
$stmt->bindParam(3, $value_3);
$stmt->bindParam(4, $value_4);
$stmt->bindParam(5, $value_5);
$stmt->bindParam(6, $value_6);

$stmt->execute(array(
':column_1' => $value_1, 
':column_2' => $value_2, 
':column_3' => $value_3, 
':column_4' => $value_4, 
':column_5' => $value_5, 
':column_6' => $value_6));
相关问题
最新问题