我正在尝试使用注册表单以防止SQL注入,但最终会出现致命错误: -
(调用未定义的方法mysqli_stmt :: bind_parm()),
你们可以帮助我,为什么我会收到这个致命的错误,而且我想知道我的编码是否受到黑客攻击。
这是连接文件
<?php
define('HOST','localhost');
define('USER','root');
define('PASSWORD_HOST','');
define('DATABASE','ubhs');
if(defined('HOST') && defined('USER') && defined('PASSWORD_HOST') && defined('DATABASE')){
$conn = mysqli_connect(HOST, USER, PASSWORD_HOST, DATABASE);
}else{
die(connection_failed.mysqli_connection_error());
}
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
?>
这里是php文件的部分
$st_f_name_err1 = "";
$st_f_name_err2 = "";
$st_l_name_err1 = "";
$st_l_name_err2 = "";
$st_f_name = $_POST['st_f_name'];
$st_l_name = $_POST['st_l_name'];
$userinput = true; //trigger
if(isset($_POST['st_submit'])){
if(empty($st_f_name)){
$st_f_name_err1 = "You have to provide first Name";
$userinput = false;
}
if (!preg_match("/^[a-zA-Z ]*$/",$st_f_name)){
$st_f_name_err2 = "You can't provide numeric value in name field";
$userinput = false;
}else{
$st_f_name = test_input($st_f_name);
}if(empty($st_l_name)){
$st_l_name_err1 = "You have to provide last Name";
$userinput = false;
}
if (!preg_match("/^[a-zA-Z ]*$/",$st_l_name)){
$st_l_name_err2 = "You can't provide numeric value in name field";
$userinput = false;
}else{
$st_l_name = test_input($st_l_name);
}
if($userinput==true)
{
$stmt = $conn->prepare("INSERT INTO student_info (st_f_name,st_l_name,st_class,st_dob) VALUES(?,?,?,?)");
$stmt->bind_parm("sssi",$st_f_name,$st_l_name, $st_class,$st_dob);
$stmt->execute();
}
}
答案 0 :(得分:1)
我假设您有两个文件(因此代码改进以及TYPO指示): -
<?php
include_once('connection.php'); // include your connection file or put your code directly here
$st_err = array(); // take error array
$st_f_name = '';
$st_l_name = '';
if(!empty($_POST['st_f_name']) && !empty($_POST['st_l_name'])){ // check with posted values not with button name
$st_f_name = $_POST['st_f_name']; // assign values to variable
$st_l_name = $_POST['st_l_name'];
if (!preg_match("/^[a-zA-Z ]*$/",$st_f_name)){
$st_err[] = "You can't provide numeric value in first name field"; // assign error to error array
}else{
$st_f_name = test_input($st_f_name);
}
if (!preg_match("/^[a-zA-Z ]*$/",$st_l_name)){
$st_err[] = "You can't provide numeric value in last name field";// assign error to error array
}else{
$st_l_name = test_input($st_l_name);
}
}else{
$st_err[] = "your need to provide both first name and last name";// assign error to error array
}
if(count($st_err)>0){ // now check if error array have some value
$error_string = "<ul>" // create a string of ul li to show all errors
foreach ($st_err as $st_er){
$error_string .= "<li>".$st_er."</li>"; // append all errors
}
$error_string .= "</ul>";
die($error_string); // show errors and stop execution
}else{ // if no error is there
$stmt = $conn->prepare("INSERT INTO student_info (st_f_name,st_l_name,st_class,st_dob) VALUES(?,?,?,?)");
$stmt->bind_param("sssi",$st_f_name,$st_l_name, $st_class,$st_dob); // TYPO HERE a is missed in param
$stmt->execute();
}