您的位置: 首页  >  技术问答  >  mysqli_stmt :: bind_param():类型定义字符串中的元素数与绑定变量警告数不匹配

mysqli_stmt :: bind_param():类型定义字符串中的元素数与绑定变量警告数不匹配

分类: 技术问答 2022-03-09 19:29:14
问题描述:

My codes for the prevention of SQL injection isn't working. Can anyone help me?

I'm receiving this warning: Warning: mysqli_stmt::bind_param(): Number of elements in type definition string doesn't match number of bind variables.

Thanks.

$mysqli = new mysqli('localhost', 'root', '', 'Muproj');    
$query="INSERT INTO tblmember VALUES (':id', ':uname' , ':passwrd' , ':name' , ':surname' ,':0' )";
$stmt = $mysqli->prepare($query);
$stmt->bind_param(':id', $newid);
$stmt->bind_param(':uname', $C_uname);
$stmt->bind_param(':passwrd', $C_passwrd);
$stmt->bind_param(':name', $C_name);
$stmt->bind_param( ':surname', $C_surname);
$stmt->bind_param(':0', '0');
$stmt->execute();
$result=mysql_query($stmt);

我的防止SQL注入的代码无效。 谁能帮我? p>

我收到此警告: 警告:mysqli_stmt :: bind_param():类型定义字符串中的元素数与绑定变量数不匹配。 p>

谢谢。 p> 

  $ mysqli = new mysqli('localhost','root','','Muproj');  
 $ query =“INSERT INTO tblmember VALUES(':id',':uname',':passwrd',':name',':surname',':0')”; 
 $ stmt = $ mysqli  - > prepare($ query); 
 $ stmt-> bind_param(':id',$ newid); 
 $ stmt-> bind_param(':uname',$ C_uname); 
 $ stmt-  > bind_param(':passwrd',$ C_passwrd); 
 $ stmt-> bind_param(':name',$ C_name); 
 $ stmt-> bind_param(':surname',$ C_surname); \  n $ stmt-> bind_param(':0','0'); 
 $ stmt-> execute(); 
 $ result = mysql_query($ stmt); 
  code>  pre>  
  div>

you appear to be mixing PDO syntax with MySQLi syntax.

Please read up on http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers

I do not use PDO myself much, but I do use MySQLi, so your references as :something are PDO declarations, but the SQL functions you use are MySQLi.

With a MySQLi bind_param function you need to add all the data into an array-like row (it may actually be an array), but preceeded by a declaration of types, as in String, integer, Double and Blob.

I have rewritten your code in the MySQLi form:

$mysqli = new mysqli('localhost', 'root', '', 'Muproj');    
$query="INSERT INTO tblmember VALUES (?, ? , ? , ? , ? ,? )";
$stmt = $mysqli->prepare($query);
$stmt->bind_param("issssi", $newid, $C_uname, $C_passwrd, $C_name, $C_surname, $zero)
$stmt->execute();
//$result=mysqli_query($stmt);

You need to do some serious research as to the differences of approach and formatting and functionality between MySQLi and PDO. Also be careful to maintain ALL your MySQL as MySQLi , as for example your $result was using the deprectated MySQL query statement.

PS: I would also suggest for clarity and forward compatibility that your INSERT statement in the SQL reads as:

 INSERT INTO table_name (column_names1, column_name2, column_names3, ...) VALUES (?,?,?, ...)

So you and the SQL can clearly see which values are plugged into which columns.

相关推荐