这是一个学校项目。我正在尝试发布到数据库,但在我点击提交后,它返回了有关bind_param行的错误:
致命错误:未捕获错误:在/var/www/html/ticketsysteem/acties/nieuwTicket.php:42中调用boolean上的成员函数bind_param()堆栈跟踪:/ var / www中引发的#0 {main}第42行/html/ticketsysteem/acties/nieuwTicket.php
有人能帮助我吗?
<?php
//var
$naam = trim($_POST["klantNaam"]);
$achternaam = trim($_POST["klantAchternaam"]);
$tel = trim($_POST["klantTel"]);
$adres = trim($_POST["klantAdres"]);
$postcode = trim($_POST["klantPostc"]);
$stad = trim($_POST["klantStad"]);
$email = trim($_POST["klantEmail"]);
//nieuwe klant
if (isset($_POST['submit1'])) {
$insertklant= $connectie->prepare("INSERT INTO klant klantAchternaam = $achternaam,
klantNaam = $naam, klantTel = $tel, klantAdres = $adres, klantPostc = $postcode,
klantStad = $stad, klantEmail = $email");
$insertklant->bind_param('sssssss', $achternaam, $naam, $tel, $adres, $postcode, $stad, $email);
if($insertklant->execute()) {
echo 'gelukt!';
}
}
?>
<form name="nieuwTicket" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>" method="POST">
<button onclick="nieuwek()" type="button" id="nk" >nieuwe klant </button>
<label class="hidden01">naam:</label><input id="text1" type="text" name="klantNaam" class="hidden"/><br>
<label class="hidden01">achternaam:</label><input id="text1" type="text" name="klantAchternaam" class="hidden"/><br>
<label class="hidden01">adres:</label><input id="text1" type="text" name="klantAdres" class="hidden"/><br>
<label class="hidden01">postcode:</label><input id="text1" type="text" name="klantPostc" class="hidden"/><br>
<label class="hidden01">woonplaats:</label><input id="text1" type="text" name="klantStad" class="hidden"/><br>
<label class="hidden01">telefoonnummer:</label><input id="text1" type="text" name="klantTel" class="hidden"/><br>
<input type="submit" name="submit1" value="invoeren" class="hidden">
</form>
答案 0 :(得分:2)
了解如何使用预准备语句及其实际操作:
<?php
$stmt = $connectie->prepare("
INSERT INTO klant
klantAchternaam = ?,
klantNaam = ?,
klantTel = ?,
klantAdres = ?,
klantPostc = ?,
klantStad = ?,
klantEmail = ?
");
if($stmt){
$stmt->bind_param('sssssss', $achternaam, $naam, $tel, $adres, $postcode, $stad, $email);
if($stmt->execute()) {
echo 'gelukt!';
}
}
?>
您当前的代码对sql注入是开放的,而上述代码完全抵御它们。准备好的语句的整个想法是,从不必须将用户提交的值 直接 连接到sql查询。