这是我第一次尝试使用mysqli prepared statement保护我的代码免受sql注入。所以请保持温和,用简单的语言解释一下,这样我才能理解。
现在我正在使用以下代码,我认为我是对的,但它会抛出这些错误,我根本不理解。
这是错误:
Warning: mysqli_stmt_bind_param() expects parameter 1 to be mysqli_stmt, boolean given in on line 92
Warning: mysqli_stmt_execute() expects parameter 1 to be mysqli_stmt, boolean given in on line 93
Warning: mysqli_stmt_close() expects parameter 1 to be mysqli_stmt, boolean given in on line 96
这是代码:
$stmt = mysqli_prepare(
$db_conx,
"INSERT $storenameTable (firstname, lastname, username, address_1, address_2, postcode, country, county, city, email, password, storeShop, signupdate) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"
);
//after validation, of course
mysqli_stmt_bind_param($stmt, "issi", $firstname, $lastname, $username, $address_1, $address_2, $postcode, $country, $county, $city, $email, $hashedPass, $storenameTable);
mysqli_stmt_execute($stmt); <//<<<<<<<< line 92
if (mysqli_affected_rows($db_conx)) <//<<<<<<<< line 93
{
mysqli_stmt_close($stmt); <//<<<<<<<< line 96
//update was successful
$id = mysqli_insert_id($db_conx);
}
我将非常感谢你的帮助。
答案 0 :(得分:1)
似乎你有一个缺少的参数,你应该有13个参数和13 ?检查密码后的两个参数。 (我拿出signupdate)尝试以下内容:
$stmt = mysqli_prepare(
$db_conx,
"INSERT INTO $storenameTable (firstname, lastname, username, address_1, address_2, postcode, country, county, city, email, password, storeShop) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"
);
//after validation, of course
mysqli_stmt_bind_param($stmt, "issi", $firstname, $lastname, $username, $address_1, $address_2, $postcode, $country, $county, $city, $email, $hashedPass, $storenameTable);
mysqli_stmt_execute($stmt); <//<<<<<<<< line 92
if (mysqli_affected_rows($db_conx)) <//<<<<<<<< line 93
{
mysqli_stmt_close($stmt); <//<<<<<<<< line 96
//update was successful
$id = mysqli_insert_id($db_conx);
}
您还可以使用var_dump(mysqli_error($db_conx));
答案 1 :(得分:0)
password是MySQL中的函数名。函数名称(如保留字)必须用反引号括起来用作字段名称。
就个人而言,我会说在所有数据库,表格和列名称周围添加反引号。
在MySQL中使用“裸”名称类似于在PHP中使用裸字符串。当然,$foo = bar;将工作,但它依赖于bar不是常数。好吧,在MySQL中,你依赖的是你的列名而不是保留字。一样。使用反引号!