尝试使用Prepared Statements更新我的Mysqli查询(出于安全原因,因为我需要将变量用于查询),没有运气可以让它工作,任何想法?
此外,还可以将表名$ this->userTbl替换为?,并在$smtp上声明吗?
function __construct(){
if(!isset($this->db)){
// Connect to the database
$conn = new mysqli($this->dbhost, $this->dbUsername, $this->dbPassword, $this->dbName);
if($conn->connect_error){
die("Failed to connect with MySQL: " . $conn->connect_error);
}else{
$this->db = $conn;
}
}
}
function checkUser($userData = array()){
if(!empty($userData)){
// Check whether user data already exists in database
//$prevQuery = "SELECT * FROM ".$this->userTbl." WHERE oauth_provider = '".$userData['oauth_provider']."' AND oauth_uid = '".$userData['oauth_uid']."'"; //<<-- THIS WAS WORKING
$stmt = $prevQuery->prepare = "SELECT * FROM ".$this->userTbl." WHERE oauth_provider=? AND oauth_uid=?";
$stmt->bind_param("ss", $userData['oauth_provider'], $userData['oauth_uid']);
$stmt->execute();
$prevResult = $this->db->query($prevQuery);
if($prevResult->num_rows > 0){
// USER EXIST!! , update data
$query = "UPDATE ".$this->userTbl." SET ...
}else{
//NEW USER
$query = "INSERT INTO ".$this->userTbl." SET ...
}