dstd2129 2015-03-29 12:50
浏览 133
已采纳

mysqli_stmt :: bind_param():类型定义字符串中的元素数与绑定变量警告数不匹配

My codes for the prevention of SQL injection isn't working. Can anyone help me?

I'm receiving this warning: Warning: mysqli_stmt::bind_param(): Number of elements in type definition string doesn't match number of bind variables.

Thanks.

$mysqli = new mysqli('localhost', 'root', '', 'Muproj');    
$query="INSERT INTO tblmember VALUES (':id', ':uname' , ':passwrd' , ':name' , ':surname' ,':0' )";
$stmt = $mysqli->prepare($query);
$stmt->bind_param(':id', $newid);
$stmt->bind_param(':uname', $C_uname);
$stmt->bind_param(':passwrd', $C_passwrd);
$stmt->bind_param(':name', $C_name);
$stmt->bind_param( ':surname', $C_surname);
$stmt->bind_param(':0', '0');
$stmt->execute();
$result=mysql_query($stmt);
  • 写回答

1条回答 默认 最新

  • duan0414 2015-03-29 13:36
    关注

    you appear to be mixing PDO syntax with MySQLi syntax.

    Please read up on http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers

    I do not use PDO myself much, but I do use MySQLi, so your references as :something are PDO declarations, but the SQL functions you use are MySQLi.

    With a MySQLi bind_param function you need to add all the data into an array-like row (it may actually be an array), but preceeded by a declaration of types, as in String, integer, Double and Blob.

    I have rewritten your code in the MySQLi form:

    $mysqli = new mysqli('localhost', 'root', '', 'Muproj');    
$query="INSERT INTO tblmember VALUES (?, ? , ? , ? , ? ,? )";
$stmt = $mysqli->prepare($query);
$stmt->bind_param("issssi", $newid, $C_uname, $C_passwrd, $C_name, $C_surname, $zero)
$stmt->execute();
//$result=mysqli_query($stmt);

    You need to do some serious research as to the differences of approach and formatting and functionality between MySQLi and PDO. Also be careful to maintain ALL your MySQL as MySQLi , as for example your $result was using the deprectated MySQL query statement.

    PS: I would also suggest for clarity and forward compatibility that your INSERT statement in the SQL reads as:

     INSERT INTO table_name (column_names1, column_name2, column_names3, ...) VALUES (?,?,?, ...)

    So you and the SQL can clearly see which values are plugged into which columns.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 metadata提取的PDF元数据,如何转换为一个Excel
  • ¥15 关于arduino编程toCharArray()函数的使用
  • ¥100 vc++混合CEF采用CLR方式编译报错
  • ¥15 coze 的插件输入飞书多维表格 app_token 后一直显示错误,如何解决?
  • ¥15 vite+vue3+plyr播放本地public文件夹下视频无法加载
  • ¥15 c#逐行读取txt文本,但是每一行里面数据之间空格数量不同
  • ¥50 如何openEuler 22.03上安装配置drbd
  • ¥20 ING91680C BLE5.3 芯片怎么实现串口收发数据
  • ¥15 无线连接树莓派,无法执行update,如何解决?(相关搜索:软件下载)
  • ¥15 Windows11, backspace, enter, space键失灵