警告:mysqli_stmt_bind_param():变量数与预准备语句中的参数数量不匹配

时间:2015-07-24 16:01:26

标签: php mysqli sql-injection

帮助!拜托,我正在尝试将Mysql注入添加到我的代码中:

Message

我收到了这个警告

  

警告:mysqli_stmt_bind_param():变量数量与第30行的C:\ wamp \ www \ Ex \ insert-data.php中预准备语句中的参数数量不匹配       调用堆栈       #时间记忆功能位置       1 0.0005 142320 {main}().. \ insert-data.php:0       2 0.1655 294232 mysqli_stmt_bind_param().. \ insert-data.php:30

第30行是:

if($stmt = mysqli_prepare($dbconn,$sqlinsert="INSERT INTO `T`(`ID`,`FName`, `LName`, `Gender`, `Agreement`,`Photo`,`Photo_name`) VALUES  ('$id','$fname','$lname','$Gender','$radios','$image','$image_name')"))
{
        /* bind parameters for markers */
    mysqli_stmt_bind_param($stmt, "i", $id);


}

有没有办法解决这个问题? 我尝试过这种类型mysqli_stmt_bind_param($stmt, "i", $id); ,但它没有用。

有什么想法?,谢谢你的帮助。

2 个答案:

答案 0 :(得分:0)

假设您愿意使用PDO而不是mysqli。

您的数据库连接应如下所示:

db.php中 

 <?php
   $host   = 'localhost';
   $dbname = 'Example';
   $username = "root";
   $password = "";
   $conn = new PDO('mysql:host=localhost;dbname=Example', $username,
   $password);
   $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);


   ?>

准备陈述:

file.php 

   <?php
     //Example prepared statement with INSERT
   $reply = $conn->prepare("INSERT INTO reply (user_name, 
    receipient, comment, comment_id, user_image) VALUES  
      (:username,:receipient,:commentt,:commentid,:userimage)");

    $reply->bindParam(":username", $user3_name, PDO::PARAM_STR);
    $reply->bindParam(":receipient", $user2_name, PDO::PARAM_STR);
    $reply->bindParam(":commentt", $comment2, PDO::PARAM_STR);
    $reply->bindParam(":commentid", $c_id, PDO::PARAM_INT);
    $reply->bindParam(":userimage", $u_image, PDO::PARAM_STR);

    $reply->execute();

       ?>

FOR MYSQLI

db.php中 

 <?php

  $db = new mysqli("localhost","root","","dbname");
  ?>

file.php 

    <?php
     $stmt = $db->prepare("INSERT INTO reply (user_name, 
    receipient, comment, user_image) VALUES  
      (?,?,?,?)");
     $stmt->bind_param('ssss', $username, $receipient,$commentt,$userimage);

      $stmt->execute();
    ?>

答案 1 :(得分:0)

<?php

$fname = $_POST['first'];//should be the name attribute used in your form
$lname = $_POST['last'];
$gender = $_POST['gen'];
$agreement = $_POST['agree'];
$photo = $_POST['pic'];
$p_name = $_POST['pic_name'];

$stmt = $dbconn->prepare("INSERT INTO T(FName, LName, Gender,
Agreement,Photo,Photo_name) VALUES (?, ?, ?, ?, ?, ?)"); 

$stmt->bind_param('ssssss',$fname,$lname,$gender,$agreement,$photo,$p_name);

$stmt->execute();

 ?>
相关问题
最新问题