dstd2129 2015-03-29 12:50
浏览 132
已采纳

mysqli_stmt :: bind_param():类型定义字符串中的元素数与绑定变量警告数不匹配

My codes for the prevention of SQL injection isn't working. Can anyone help me?

I'm receiving this warning: Warning: mysqli_stmt::bind_param(): Number of elements in type definition string doesn't match number of bind variables.

Thanks.

$mysqli = new mysqli('localhost', 'root', '', 'Muproj');    
$query="INSERT INTO tblmember VALUES (':id', ':uname' , ':passwrd' , ':name' , ':surname' ,':0' )";
$stmt = $mysqli->prepare($query);
$stmt->bind_param(':id', $newid);
$stmt->bind_param(':uname', $C_uname);
$stmt->bind_param(':passwrd', $C_passwrd);
$stmt->bind_param(':name', $C_name);
$stmt->bind_param( ':surname', $C_surname);
$stmt->bind_param(':0', '0');
$stmt->execute();
$result=mysql_query($stmt);
  • 写回答

1条回答 默认 最新

  • duan0414 2015-03-29 13:36
    关注

    you appear to be mixing PDO syntax with MySQLi syntax.

    Please read up on http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers

    I do not use PDO myself much, but I do use MySQLi, so your references as :something are PDO declarations, but the SQL functions you use are MySQLi.

    With a MySQLi bind_param function you need to add all the data into an array-like row (it may actually be an array), but preceeded by a declaration of types, as in String, integer, Double and Blob.

    I have rewritten your code in the MySQLi form:

    $mysqli = new mysqli('localhost', 'root', '', 'Muproj');    
    $query="INSERT INTO tblmember VALUES (?, ? , ? , ? , ? ,? )";
    $stmt = $mysqli->prepare($query);
    $stmt->bind_param("issssi", $newid, $C_uname, $C_passwrd, $C_name, $C_surname, $zero)
    $stmt->execute();
    //$result=mysqli_query($stmt);
    

    You need to do some serious research as to the differences of approach and formatting and functionality between MySQLi and PDO. Also be careful to maintain ALL your MySQL as MySQLi , as for example your $result was using the deprectated MySQL query statement.

    PS: I would also suggest for clarity and forward compatibility that your INSERT statement in the SQL reads as:

     INSERT INTO table_name (column_names1, column_name2, column_names3, ...) VALUES (?,?,?, ...)
    

    So you and the SQL can clearly see which values are plugged into which columns.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 qt中connect两个signal
  • ¥20 pix2pixHD运行测试命令时出现数据类型错误无法反向传播的问题
  • ¥15 python处理Excel符合条件的行自动填写数据分类
  • ¥15 汇编hook举例并讲解(通俗易懂,学习用)
  • ¥20 用c++语言模拟键盘电子琴设计
  • ¥15 STM32cubemx生成keil工程,有问题与正常的情况不同,求解!
  • ¥15 如何自动点击银行app的安全键盘,实现密码自动输入
  • ¥15 关于四边形重叠的问题
  • ¥15 用verilog语言设计一个简易的八音符电子琴,可通过按键输入来控制音响。演奏时可以选择是手演奏(由键盘输入)或自动演奏已存入的乐曲。能够自动演奏多首乐曲,且每首乐曲可重复演奏
  • ¥15 sap gui脚本每次到导出Excel的时候就停住不动。不会另存为。