bind_param导致错误,我做错了什么?

时间:2017-01-12 02:20:29

标签: php mysqli

这是一个学校项目。我正在尝试发布到数据库,但在我点击提交后,它返回了有关bind_param行的错误:

  

致命错误:未捕获错误:在/var/www/html/ticketsysteem/acties/nieuwTicket.php:42中调用boolean上的成员函数bind_param()堆栈跟踪:/ var / www中引发的#0 {main}第42行/html/ticketsysteem/acties/nieuwTicket.php

有人能帮助我吗?

<?php
//var
$naam = trim($_POST["klantNaam"]);
$achternaam = trim($_POST["klantAchternaam"]);  
$tel = trim($_POST["klantTel"]); 
$adres = trim($_POST["klantAdres"]); 
$postcode = trim($_POST["klantPostc"]); 
$stad = trim($_POST["klantStad"]); 
$email = trim($_POST["klantEmail"]);

//nieuwe klant
if (isset($_POST['submit1'])) {
        $insertklant= $connectie->prepare("INSERT INTO klant klantAchternaam = $achternaam,
                klantNaam = $naam, klantTel = $tel, klantAdres = $adres, klantPostc = $postcode,
                klantStad = $stad, klantEmail = $email");      
		$insertklant->bind_param('sssssss', $achternaam, $naam, $tel, $adres, $postcode, $stad, $email);

		if($insertklant->execute()) {
			echo 'gelukt!';
		}
}
?>  
            <form name="nieuwTicket" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>" method="POST">
                <button onclick="nieuwek()" type="button" id="nk" >nieuwe klant </button>
                    <label class="hidden01">naam:</label><input id="text1" type="text" name="klantNaam" class="hidden"/><br>
                    <label class="hidden01">achternaam:</label><input id="text1" type="text" name="klantAchternaam" class="hidden"/><br>
                    <label class="hidden01">adres:</label><input id="text1" type="text" name="klantAdres" class="hidden"/><br>
                    <label class="hidden01">postcode:</label><input id="text1" type="text" name="klantPostc" class="hidden"/><br>			
                    <label class="hidden01">woonplaats:</label><input id="text1" type="text" name="klantStad" class="hidden"/><br>
                    <label class="hidden01">telefoonnummer:</label><input id="text1" type="text" name="klantTel" class="hidden"/><br>
                        <input type="submit" name="submit1" value="invoeren" class="hidden">
            </form>

1 个答案:

答案 0 :(得分:2)

了解如何使用预准备语句及其实际操作:

<?php    

  $stmt = $connectie->prepare("
    INSERT INTO klant
      klantAchternaam = ?,
      klantNaam = ?,
      klantTel = ?,
      klantAdres = ?,
      klantPostc = ?,
      klantStad = ?,
      klantEmail = ?
  ");

  if($stmt){
    $stmt->bind_param('sssssss', $achternaam, $naam, $tel, $adres, $postcode, $stad, $email);

    if($stmt->execute()) {
      echo 'gelukt!';
    }
  }

?>

您当前的代码对sql注入是开放的,而上述代码完全抵御它们。准备好的语句的整个想法是,从不必须将用户提交的值 直接 连接到sql查询。