在非对象上调用成员函数bind_param() - PHP

时间:2014-05-02 18:31:16

标签: php forms mysqli

我已尝试过所有内容,查看了有关stackoverflow的问题,google it,查看文档。但没有任何作用。它一直在说

Call to a member function bind_param() on a non-object

这是原始代码无法正常运行

以下是代码:

<?php
    ob_start();

    $myusername = @$_POST['username'];
    $mypassword = @$_POST['password'];

    if (isset($_POST['logged'])) {
    $myusername = stripslashes($myusername);
    $mypassword = stripslashes($mypassword);
    $myusername = mysql_real_escape_string($myusername);
    $mypassword = mysql_real_escape_string($mypassword);
    $sql = "SELECT * FROM members WHERE username='$myusername'";
    $sql->bind_param("s", $sql);
    $result = mysql_query($sql);

    $count = mysql_num_rows($result);

    if (!empty($myusername) && !empty($mypassword)) {
        if($count == 1) {
            $row = mysql_fetch_array($result);
            if (md5($mypassword) == $row['password']) {
                $_SESSION['username'] = $myusername;
                $_SESSION['first_name'] = $row['first_name'];
                $_SESSION['last_name'] = $row['last_name'];
                $_SESSION['email'] = $row['email'];
                $_SESSION['loggedIn'] = true;
            }
            else {
                echo "<p style=\"color: red\">Wrong Password</p>";
            }
        }
        else {
            echo "<p style=\"color: red\">Wrong Username</p>";
        }
    }
    else {
        echo "<p style=\"color: red\">Fill in all fields</p>";
    }
}
?>

这是更新的代码。

更新 

<?php
    ob_start();

    $myusername = @$_POST['username'];
    $mypassword = @$_POST['password'];

    if (isset($_POST['logged'])) {
        //$myusername = mysqli_real_escape_string($conn, $myusername);
        //$mypassword = mysqli_real_escape_string($conn, $mypassword);
        $stmt = $conn->prepare("SELECT * FROM members WHERE username=? AND password=md5(?)") or die($conn->error); //UPDATE
        $stmt->bind_param("ss", $myusername, $mypassword);
        $stmt->execute() or die($conn->error);
        $stmt->store_result();
        $count = $stmt->num_rows();

        if (!empty($myusername) && !empty($mypassword)) {
            if($count == 1) {
                $result = $stmt->get_result();
                $row = $result->fetch_array();
                $_SESSION['username'] = $myusername;
                $_SESSION['first_name'] = $row['first_name'];
                $_SESSION['last_name'] = $row['last_name'];
                $_SESSION['email'] = $row['email'];
                $_SESSION['loggedIn'] = true;
            }
            else {
                echo "<p style=\"color: red\">Wrong Username or Password</p>";
            }
        }
        else {
            echo "<p style=\"color: red\">Fill in all fields</p>";
        }
    }
?>

2 个答案:

答案 0 :(得分:2)

$stmt不是对象,它是一个字符串。因此,“在非对象上调用成员函数bind_param()”。

您需要从该查询创建一个实际的语句。

答案 1 :(得分:0)

试试这个:

    $stmt = $conn->prepare("SELECT * FROM members WHERE username = ? AND password = md5(?)" 
        or die ($db->error);
    $stmt->bind_param("ss", $username, $password);
    $stmt->execute() or die($stmt->error);
    $stmt->store_result();
    $count = $stmt->num_rows();

在查询中使用参数时,不需要使用stripslashes或转义字符串。您必须调用prepare()将SQL转换为语句。您将参数值传递给bind_param,而不是SQL语句。 execute返回一个布尔值,指示查询是否成功,您在语句本身上调用num_rows

使用准备好的查询时,将替换要用?占位符替换的值。然后用bind_param中命名的变量填充它们。当您在预准备语句中使用参数时,不应该调用mysqli_real_escape_string

如果您只是按照PHP mysqli文档中的示例进行操作,那么您应该能够正确地看到所有这些步骤。

相关问题
最新问题