获取警告:MYSQLI_STMT :: BIND_PARAM(): 在第45行中,变量数未匹配准备好的语句中的参数数,我已经计算出我认为其正确的参数数,即6个参数,但仍然收到错误消息,我的编码知识不合格,被告知更新了我的公司,因为它可以进行sql注入
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
try {
$mysqli = new mysqli("????", "?????", "", "?????");
$mysqli - > set_charset("utf8mb4");
} catch (Exception $e) {
error_log($e - > getMessage());
exit('Error connecting to database');
}
/* GET THE DATA FROM Visitor TABLE */
$stmt = $mysqli - > prepare("SELECT * FROM signin WHERE ID='$member[$x]'");
mysqli_stmt_bind_param($stmt, "ssssss", $memberid1, $fname1, $company, $visiting, $vehicle, $date);
$stmt - > execute();
if ($stmt - > affected_rows === 0) exit('No rows updated');
$stmt - > close();
答案 0 :(得分:0)
就...
INSERT INTO whatever (column1, column2, date) values (?, ?, now())
并使用准备好的查询,因为现在您正在注入,这并不好。
编辑:更好:
INSERT INTO signout
(id, full_name, company, visiting, vehicle, date)
SELECT id, full_name, company, visiting, vehicle, now()
FROM signin
WHERE id = ?