我试图通过以下语句添加新的数据库用户:
$insert = $db->prepare("CREATE USER ? IDENTIFIED BY ?");
$insert->bind_param('ss', $_POST['username'], $_POST['pass']);
$insert->execute();
数据库给我错误:
You have an error in your SQL syntax; (...) near '? IDENTIFIED BY ?' at line 1
当我尝试添加没有?通配符的新用户时,一切都很好:
CREATE USER john IDENTIFIED BY 'johnpassword' //this works,
但即使使用CONCAT("'", ?, "'")提交数据也无济于事。
我在MySQL文档中读到MySQL 5.7应该支持CREATE USER SQL语句的预处理语句,但是使用MySQLi似乎并不是这样。
答案 0 :(得分:0)
我通过设置数据库变量:
中的值来省略此问题 $insert = $db->prepare("SET @username = ? "); //store username in variable in database
$insert->bind_param('s', $_POST['username']);
$insert->execute();
$insert = $db->prepare("SET @password = ? "); //store password in variable in database
$insert->bind_param('s', $_POST['pass']);
$insert->execute();
$insert = $db->query("SET @query1 = CONCAT('CREATE USER ', @username,' IDENTIFIED BY \'', @password, '\'')");
if ($insert == false) {
print ($db->error);
}
$insert = $db->multi_query("PREPARE stmt FROM @query1"); //create user by using initialized variables. Note that you dont need to use prepared statements now
if ($insert == false) {
print ($db->error);
}
$insert = $db->query("EXECUTE stmt;");
if ($insert == false) {
print ($db->error);
}
$insert = $db->query("DEALLOCATE PREPARE stmt;");
if ($insert == false) {
print ($db->error);
}
$insert = $db->query("SET @password = null"); //clear plaintext password for safety reasons