协助准备声明

时间:2017-05-05 09:28:43

标签: php sql mysqli

编辑:错误:列数与第1行的值计数不匹配

我现在已经尝试了很长时间(如果不是多次尝试的几天),设置一个准备好的语句来阻止SQL注入攻击,我就是无法理解它。有人可以帮我解决这个问题并指出我哪里出错了吗?我想学习如何做到这一点,以便将来可以使用它,但按照这个速度,我永远不会得到它。

表格:

            <form action="php/xaddPlayerSkills.php" method="post">      <!--player skills form to be added-->
        playerID  : <input type="int" name="playerID" value="<?php  echo $playerID ?>" readonly> </td></tr>
        SquadID: <input type="text" name="squadID"><br>
        Passing: <input type="text" name="passing" value="Standard: Spin: Pop:"><br>
        Tackling: <input type="text" name="tackling" value="Front: Rear: Side: Scrabble:"><br>
        Kicking: <input type="text" name="kicking" value="Drop: Punt: Grubber: Goal:"><br>

        Comments: <input type="text" name="comments"><br>
        Date: <input type="date" name="date"><br>

        <input type="Submit" value = "Add ">
        </form>

这是我的处理页面:

<?php session_start(); include('functions.php');


        $sheetNo="";
        $playerID=$_POST['playerID'];

        $squadID=$_POST['squadID'];
        $passing=$_POST['passing'];
        $kicking=$_POST['kicking'];
        $tackling=$_POST['tackling'];
        $comments=$_POST['comments'];
        $date=$_POST['date'];

                    /*  Use for error testing - Uncomment to check variable values when executed
                    ini_set('display_errors', 'On'); ini_set('html_errors', 0); error_reporting(-1);
                    print_r($_POST); */






                  //sets up and executes the connection using the information held above

/ *这里有连接信息,但我已将其删除,因为它是证书* / 

                  $con=mysqli_connect($host,$user,$userpass,$schema);
                  // Error handling: If connection fails, the next lines of code will error handle the problem and if possible, give a reason why.
             if (mysqli_connect_errno())
               {
               echo "Failed to connect to MySQL: " . mysqli_connect_error();
               }



            $result= mysqli_query($con,"INSERT INTO playerSkills VALUES (playerID,squadID,passing,tackling,kicking,comments,date)");

            $insert=$con->prepare($result);
            $insert->bind_param("isssssd",$playerID,$squadID,$passing,$tackling,$kicking,$comments,$date);
            $insert->execute();
            $insert->close();

        mysqli_close($con);
        header ("location: ../databasePlayers.php");
        ?>

1 个答案:

答案 0 :(得分:1)

您的代码中存在一些问题,但最值得注意的是查询中的占位符,应该?而不是VALUES (playerID,squadID,passing,tackling,kicking...之类的内容以及您&#39 ;使用类型double d来描述日期:

$con=mysqli_connect($host,$user,$userpass,$schema);
// Error handling: If connection fails, the next lines of code will error handle the problem and if possible, give a reason why.
if (mysqli_connect_errno())
    {
        echo "Failed to connect to MySQL: " . mysqli_connect_error();
    }

$result= "INSERT INTO playerSkills VALUES (?,?,?,?,?,?,?)";

$insert=$con->prepare($result);
$insert->bind_param("issssss",$playerID,$squadID,$passing,$tackling,$kicking,$comments,$date); // change d to s for the date
$insert->execute();
$insert->close();

阅读docs以获取有关数据类型的说明。 d用于双打,而不是日期。然后查看您应该用作占位符的示例。

编辑:注意 - 如果其中一列是AUTO INCREMENT列,则不应将其包含在查询中,因为数据库将负责确保列正确更新。

相关问题
最新问题