dshgnt2008 2013-09-23 17:39
浏览 66
已采纳

参数号无效:绑定变量数与令牌数不匹配 - php错误

I basically receive the following error when running the below piece of code:

Failed to run query: SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens

I'm new to php and am not sure why I am receiving this error... I have used this piece of code for an INSERT (not UPDATE) statement in the past and it worked fine.

The code has been copied from another site, and is simply being used as a test...

// First we execute our common code to connection to the database and start the session 
require("common.php"); 

 $id = $_GET[id];

// This if statement checks to determine whether the registration form has been submitted 
// If it has, then the registration code is run, otherwise the form is displayed 
if(!empty($_POST)) 
{

    // Ensure that the user has entered a non-empty password 
    if(empty($_POST['password'])) 
    { 
        die("Please enter a password."); 
    } 

    // Ensure that the user has entered a non-empty username 
    if(empty($_POST['confirmpassword'])) 
    { 
        // Note that die() is generally a terrible way of handling user errors 
        // like this.  It is much better to display the error with the form 
        // and allow the user to correct their mistake.  However, that is an 
        // exercise for you to implement yourself. 
        die("Please confirm your password."); 
    } 

     if ($_POST["password"] == $_POST["confirmpassword"]) {

    // An INSERT query is used to add new rows to a database table. 
    // Again, we are using special tokens (technically called parameters) to 
    // protect against SQL injection attacks. 
    $query = "UPDATE Staff SET password=:password, salt=:salt WHERE id=:id"; 

    // A salt is randomly generated here to protect again brute force attacks 
    // and rainbow table attacks.  The following statement generates a hex 
    // representation of an 8 byte salt.  Representing this in hex provides 
    // no additional security, but makes it easier for humans to read. 
    $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647)); 

    // This hashes the password with the salt so that it can be stored securely 
    // in your database.  The output of this next statement is a 64 byte hex 
    // string representing the 32 byte sha256 hash of the password.  The original 
    // password cannot be recovered from the hash. 
    $password = hash('sha256', $_POST['password'] . $salt); 

    // Next we hash the hash value 65536 more times.  The purpose of this is to 
    // protect against brute force attacks.  Now an attacker must compute the hash 65537 
    // times for each guess they make against a password, whereas if the password 
    // were hashed only once the attacker would have been able to make 65537 different  
    // guesses in the same amount of time instead of only one. 
    for($round = 0; $round < 65536; $round++) 
    { 
        $password = hash('sha256', $password . $salt); 
    }  

    try 
    { 
        // Execute the query to create the user 
        $stmt = $db->prepare($query); 
        $stmt->execute(array(
        ':password' => $password,
        ':salt' => $salt)); 


    } 
    catch(PDOException $ex) 
    { 
        // Note: On a production website, you should not output $ex->getMessage(). 
        // It may provide an attacker with helpful information about your code.  
        die("Failed to run query: " . $ex->getMessage()); 
    } 

    // This redirects the user back to the login page after they register 
    header("Location: login.php"); 

    // Calling die or exit after performing a redirect using the header function 
    // is critical.  The rest of your PHP script will continue to execute and 
    // will be sent to the user if you do not die or exit. 
    die("Redirecting to login.php"); 
} 
}

Thanks a lot, Joe

  • 写回答

2条回答 默认 最新

  • drzdu44226 2013-09-23 17:42
    关注

    You missing the :id parameter:

    $stmt->execute(array(
        ':password' => $password,
        ':salt' => $salt,
        ':id' => $id
    )); 
    
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?