尝试修复更新语句后出现致命错误

时间:2016-07-28 13:11:13

标签: php mysql prepared-statement

我试图使更新语句成为安全的反对sql注入但它给我这个错误致命错误:在第39行的非对象上调用成员函数bind_param()

$pid = $_POST['pid'];
$pagetitle = $_POST['pagetitle'];
$linklabel = $_POST['linklabel'];
$keyword = $_POST['keyword'];
$descriere = $_POST['descriere'];
$data = $_POST['data'];
$pagebody = $_POST['pagebody'];
// Filter Function -------------------------------------------------------------------
function filterFunction ($var) { 
    $var = nl2br(htmlspecialchars($var));
    $var = str_replace("/", "\\\\", $var);
    $var = preg_replace("~/~", "\\\\", $var);

    return $var; 
} 
$pagetitle = filterFunction($pagetitle);
$linklabel = filterFunction($linklabel);
$keyword = filterFunction($keyword);
$descriere = filterFunction($descriere);
$data = filterFunction($data);
$pagebody = filterFunction($pagebody);
// End Filter Function --------------------------------------------------------------
include_once "../conx.php";
// Add the updated info into the database table
$stmt = $con->prepare("UPDATE pages SET (pagetitle, linklabel, keywords, description, pagebody, lastmodified) VALUES (?, ?, ?, ?, ?, ?) WHERE id = ?");
    // TODO check that $stmt creation succeeded
    // "s" means the database expects a string
    $stmt->bind_param("sssssss", $pagetitle, $linklabel, $keyword, $descriere, $pagebody, $data, $pid);
    $stmt->execute();
    $stmt->close();

第39行是$stmt->bind_param("sssssss", $pagetitle, $linklabel, $keyword, $descriere, $pagebody, $data, $pid);

有必要做到这一点,或者我可以恢复到之前的状态

$query = mysqli_query($con, "UPDATE pages SET pagetitle='$pagetitle', linklabel='$linklabel', pagebody='$pagebody', lastmodified='now()' WHERE id='$pid'") or die (mysqli_error($con));

1 个答案:

答案 0 :(得分:1)

这不会产生错误吗?

$con->prepare("UPDATE pages SET (pagetitle, linklabel, keywords, description, pagebody, lastmodified) VALUES (?, ?, ?, ?, ?, ?) WHERE id = ?");

这应该是

$con->prepare("UPDATE pages SET pagetitle=?, linklabel=?, keywords=?, description=?, pagebody=?, lastmodified=? WHERE id = ?");

参考:http://dev.mysql.com/doc/refman/5.7/en/update.html

现在您可以继续绑定参数

$stmt->bind_param("sssssss", $pagetitle, $linklabel, $keyword, $descriere, $pagebody, $data, $pid);
相关问题
最新问题