以下代码有什么问题 - :
<?php
if($_SERVER["REQUEST_METHOD"]=="POST")
{
require 'connection.php';
create_user();
}
function create_user(){
global $connect;
$name = $_POST["name"];
$username = $_POST["username"];
$password = $_POST["password"];
$age = $_POST["age"];
$query = "Insert into usertable(name, username, password, age) values ('$name','$username','$password','$age');";
mysqli_connect($connect, $query) or die (mysqli_error($connect));
mysqli_close($connect);
}
?>
它给出了以下错误,我给出的第一个参数是String only-:
<br />
<b>Warning</b>: mysqli_connect() expects parameter 1 to be string, object given in
<b>C:\xampp\htdocs\webservice\insertuser.php</b> on line
<b>19</b>
<br />
can't connect
第19行是mysqli_connect($ connect,$ query)或者死(mysqli_error($ connect));
答案 0 :(得分:1)
使用prepared statements绑定。没有sql注入。启用错误报告。
这是端对端的。
更改连接参数。
你的变量自然来自$_POST[],而我对它们进行了硬编码。你明白了。我希望。
永远不要使用用户提供的数据而不用你的方式绑定。甚至在插入语句中。除非你想要第二级sql注入攻击。
create table data
( id int auto_increment primary key,
`name` varchar(100) not null,
email varchar(100) not null,
phone varchar(100) not null,
facebook varchar(100) not null,
linkedin varchar(100) not null,
twitter varchar(100) not null,
yourstory varchar(100) not null
);
<?php
//mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
mysqli_report(MYSQLI_REPORT_ALL);
error_reporting(E_ALL); // report all PHP errors
ini_set("display_errors", 1);
echo "start<br/>";
$name='a';
$email='b';
$phone='c';
$facebook='d';
$linkedin='e';
$twitter='f';
$yourstory='g';
try {
$mysqli= new mysqli('host', 'dbuser', 'password', 'databaseName');
if ($mysqli->connect_error) {
die('Connect Error (' . $mysqli->connect_errno . ') '
. $mysqli->connect_error);
}
echo "I am connected and feel happy.<br/>";
$query = "INSERT INTO `data`(`name`, email, phone, facebook, linkedin, twitter, yourstory)";
$query .= " VALUES (?,?,?,?,?,?,?)";
echo "1<br/>";
$stmt = $mysqli->prepare($query);
echo "2<br/>";
// note the 7 s's below, s is for string
$stmt->bind_param("sssssss", $name, $email, $phone,$facebook,$linkedin,$twitter,$yourstory);
echo "3<br/>";
$stmt->execute();
echo "4<br/>";
$stmt->close();
$mysqli->close();
} catch (mysqli_sql_exception $e) {
throw $e;
}
?>
select * from data;
+----+------+-------+-------+----------+----------+---------+-----------+
| id | name | email | phone | facebook | linkedin | twitter | yourstory |
+----+------+-------+-------+----------+----------+---------+-----------+
| 1 | a | b | c | d | e | f | g |
+----+------+-------+-------+----------+----------+---------+-----------+
答案 1 :(得分:0)
看起来你想要将你的连接对象传递给mysqli_query,而不是mysqli_connect。
我假设connect.php中有一个mysqli_connect语句。
更新您的代码,
mysqli_query($connect, $query) or die (mysqli_error($connect));
看看它是否有效。