dstd2129
2015-03-29 12:50 阅读 53
已采纳

mysqli_stmt :: bind_param():类型定义字符串中的元素数与绑定变量警告数不匹配

My codes for the prevention of SQL injection isn't working. Can anyone help me?

I'm receiving this warning: Warning: mysqli_stmt::bind_param(): Number of elements in type definition string doesn't match number of bind variables.

Thanks.

$mysqli = new mysqli('localhost', 'root', '', 'Muproj');    
$query="INSERT INTO tblmember VALUES (':id', ':uname' , ':passwrd' , ':name' , ':surname' ,':0' )";
$stmt = $mysqli->prepare($query);
$stmt->bind_param(':id', $newid);
$stmt->bind_param(':uname', $C_uname);
$stmt->bind_param(':passwrd', $C_passwrd);
$stmt->bind_param(':name', $C_name);
$stmt->bind_param( ':surname', $C_surname);
$stmt->bind_param(':0', '0');
$stmt->execute();
$result=mysql_query($stmt);
  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享

1条回答 默认 最新

  • 已采纳
    duan0414 duan0414 2015-03-29 13:36

    you appear to be mixing PDO syntax with MySQLi syntax.

    Please read up on http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers

    I do not use PDO myself much, but I do use MySQLi, so your references as :something are PDO declarations, but the SQL functions you use are MySQLi.

    With a MySQLi bind_param function you need to add all the data into an array-like row (it may actually be an array), but preceeded by a declaration of types, as in String, integer, Double and Blob.

    I have rewritten your code in the MySQLi form:

    $mysqli = new mysqli('localhost', 'root', '', 'Muproj');    
    $query="INSERT INTO tblmember VALUES (?, ? , ? , ? , ? ,? )";
    $stmt = $mysqli->prepare($query);
    $stmt->bind_param("issssi", $newid, $C_uname, $C_passwrd, $C_name, $C_surname, $zero)
    $stmt->execute();
    //$result=mysqli_query($stmt);
    

    You need to do some serious research as to the differences of approach and formatting and functionality between MySQLi and PDO. Also be careful to maintain ALL your MySQL as MySQLi , as for example your $result was using the deprectated MySQL query statement.

    PS: I would also suggest for clarity and forward compatibility that your INSERT statement in the SQL reads as:

     INSERT INTO table_name (column_names1, column_name2, column_names3, ...) VALUES (?,?,?, ...)
    

    So you and the SQL can clearly see which values are plugged into which columns.

    点赞 评论 复制链接分享

相关推荐