首先,请知道我没有使用它作为真实世界的登录它纯粹是为了练习。我正在使用PHP / MySQLi,我试图实现准备好的语句,但我没有正确地做到这一点。这是我的工作代码,只有mysqli_escape_string:
$host="localhost";
$username="login";
$password="password";
$db_name="database";
$link=mysqli_connect("$host", "$username", "$password", "$db_name")or die("cannot connect to server");
$tbl_name=temp_members;
// Random confirmation code to be sent in email
$confirm_code=md5(uniqid(rand()));
//from signup.php
$name=$_POST['name'];
$email=$_POST['email'];
$pwd=$_POST['password'];
$name = mysqli_real_escape_string($link, $name);
$email = mysqli_real_escape_string($link, $email);
$pwd = mysqli_real_escape_string($link, $pwd);
$pwd = password_hash($pwd, PASSWORD_DEFAULT);
// Insert data into temp_members
$sql="INSERT INTO $tbl_name(confirm_code, name, email, password)VALUES('$confirm_code', '$name', '$email', '$pwd')";
$result=mysqli_query($link, $sql);
if($result){
//email
$to=$email;
$subject="(no reply)";
$header="from: Ben Pappas <mrbenpappas@gmail.com>";
// message
$message="Hello ".$name.", Thanks for signing up! \r\n";
$message.="Click on this link to activate your account: \r\n";
$message.="http://www.monger.us/verify/confirmation.php? passkey=$confirm_code";
// send email
$sentmail = mail($to,$subject,$message,$header);
}
这是我对PDO /预备陈述的(差)尝试:
$host="localhost";
$username="login";
$password="password";
$db_name="database";
$link = new PDO("mysql:host=$host;dbname=$db_name",$username,$password) or die("cannot connect to server");
$tbl_name=temp_members;
// Random confirmation code to be sent in email
$confirm_code=md5(uniqid(rand()));
//from signup.php
$name=$_POST['name'];
$email=$_POST['email'];
$pwd=$_POST['password'];
$name = mysqli_real_escape_string($link, $name);
$email = mysqli_real_escape_string($link, $email);
$pwd = mysqli_real_escape_string($link, $pwd);
$pwd = password_hash($pwd, PASSWORD_DEFAULT);
// Insert data into temp_members
$statement = $link->prepare("INSERT INTO $tbl_name(confirm_code, name, email, password)VALUES('$confirm_code', '$name', '$email', '$pwd')";
$statement->execute(array(
$confirm_code => 'confirm_code',
$email => 'email',
$name => 'name'
));
$result = ($link, $statement);
if($result){
//email
$to=$email;
$subject="(no reply)";
$header="from: Ben Pappas <mrbenpappas@gmail.com>";
// message
$message="Hello ".$name.", Thanks for signing up! \r\n";
$message.="Click on this link to activate your account: \r\n";
$message.="http://www.monger.us/verify/confirmation.php? passkey=$confirm_code";
// send email
$sentmail = mail($to,$subject,$message,$header);
}
我在调用语句变量的行上收到一条错误消息,上面写着意外的“;”
请原谅任何明显的错误我是一个padawan
答案 0 :(得分:2)
$statement = $link->prepare("INSERT INTO $tbl_name(confirm_code, name,
email, password)VALUES('$confirm_code', '$name', '$email', '$pwd')";
应为:
$statement = $link->prepare("INSERT INTO $tbl_name(confirm_code, name,
email, password)VALUES(:confirm_code, :name, :email, :pwd)");
$statement->execute(array(
':confirm_code' => $confirm_code,
':email' => $email,
':name' => $name,
':pwd' => $pwd
));
此外,不需要mysqli_real_escape_string代码:bind负责为您转义数据。
答案 1 :(得分:1)
$value = $_POST['value'];
$stmt = $mysqli->prepare("INSERT INTO XYZ (field) VALUES (?)");
$stmt->bind_param('s', $value);
$stmt->execute();
声明应如下所示。
“s”表示字符串,“i”表示int
答案 2 :(得分:1)
你是missing $ statement行上的close括号:
试试这个
$statement = $link->prepare("INSERT INTO $tbl_name(confirm_code, name, email, password)VALUES(:confirm_code, :name, :email, :pwd)");
$statement->execute(array(
':confirm_code' => $confirm_code,
':email' => $email,
':name' => $name,
':pwd' => $pwd
));