douzhongqiu5032 2013-12-19 11:12
浏览 42
已采纳

为什么这个准备好的语句会抛出错误?

Having learnt the basics of PHP and MySQL, I am now learning how to protect against SQL injection attacks by using prepared statements. I have the following code:

for ($i = 0; $i < $delegateno ;$i++){

        $q = "INSERT INTO delegates (delegate_id,booker_name, booker_email, booker_tel, booker_company, delegate_name, delegate_email, delegate_tel) VALUES (NULL, ?, ?, ?, ?, ?, ?, ? )";//Insert delegate information into delegate tables
        $stmt = mysqli_query($dbc, $q);
        mysqli_stmt_bind_param($stmt,'sssssss', $fullname, $email, $tel, $company,$delegatename[$i],$delegateemail[$i],$delegatetel[$i]);
        mysqli_stmt_execute($stmt);
}

However, this throws:

Notice: Query: INSERT INTO delegates (delegate_id,booker_name, booker_email, booker_tel, booker_company, delegate_name, delegate_email, delegate_tel) VALUES (NULL, ?, ?, ?, ?, ?, ?, ? )
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?, ?, ?, ?, ?, ?, ? )'

What am I doing wrong?

  • 写回答

1条回答 默认 最新

  • duanqiongdu9916 2013-12-19 11:14
    关注

    Because you're executing the raw query containing the placeholders. You need to prepare() the query first.

    This is how it goes (usually): prepare -> bind_param -> execute -> fetch.

    Change:

    $stmt = mysqli_query($dbc, $q);
    

    to:

    $stmt = mysqli_prepare($dbc, $q);
    
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥50 树莓派安卓APK系统签名
  • ¥15 maple软件,用solve求反函数出现rootof,怎么办?
  • ¥65 汇编语言除法溢出问题
  • ¥15 Visual Studio问题
  • ¥20 求一个html代码,有偿
  • ¥100 关于使用MATLAB中copularnd函数的问题
  • ¥20 在虚拟机的pycharm上
  • ¥15 jupyterthemes 设置完毕后没有效果
  • ¥15 matlab图像高斯低通滤波
  • ¥15 针对曲面部件的制孔路径规划,大家有什么思路吗