Warning: mysqli_stmt_bind_param() expects paramete

2020-04-11 01:10发布

站内文章 / PHP
76 0 0

问题:

This question already has an answer here:
mysqli_fetch_assoc() expects parameter / Call to a member function bind_param() errors. How to get the actual mysql error and fix it? (1 answer)
Closed 2 years ago.

this is the first time ever that I am trying to secure my code against sql injection using mysqli prepared statement. so please be gentle and explain things in simple terms so I can understand it.

Now I am using the following code which I thought i was right but it throws these errors and I do not understand that at all.

here is the errors:

Warning: mysqli_stmt_bind_param() expects parameter 1 to be mysqli_stmt, boolean given in on line 92

Warning: mysqli_stmt_execute() expects parameter 1 to be mysqli_stmt, boolean given in on line 93

Warning: mysqli_stmt_close() expects parameter 1 to be mysqli_stmt, boolean given in  on line 96

here is the code:

$stmt = mysqli_prepare(
    $db_conx,
    "INSERT $storenameTable (firstname, lastname, username, address_1, address_2, postcode,  country, county, city, email, password, storeShop, signupdate) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"
);
//after validation, of course
mysqli_stmt_bind_param($stmt, "issi", $firstname, $lastname, $username, $address_1, $address_2, $postcode, $country, $county, $city, $email, $hashedPass, $storenameTable);
mysqli_stmt_execute($stmt);     <//<<<<<<<< line 92
if (mysqli_affected_rows($db_conx))     <//<<<<<<<< line 93
{
    mysqli_stmt_close($stmt);  <//<<<<<<<< line 96
    //update was successful
    $id = mysqli_insert_id($db_conx);
}

i would appreciate your help.

回答1:

It seems that you have a missing parameter, you should have 13 parameters and 13 ? check the two parameters after password. (I took out signupdate) try the below :

$stmt = mysqli_prepare(
    $db_conx,
    "INSERT INTO $storenameTable (firstname, lastname, username, address_1, address_2, postcode,  country, county, city, email, password, storeShop) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"
);
//after validation, of course
mysqli_stmt_bind_param($stmt, "issi", $firstname, $lastname, $username, $address_1, $address_2, $postcode, $country, $county, $city, $email, $hashedPass, $storenameTable);
mysqli_stmt_execute($stmt);     <//<<<<<<<< line 92
if (mysqli_affected_rows($db_conx))     <//<<<<<<<< line 93
{
    mysqli_stmt_close($stmt);  <//<<<<<<<< line 96
    //update was successful
    $id = mysqli_insert_id($db_conx);
}

You also can get more details on the last error by using var_dump(mysqli_error($db_conx));



回答2:

password is a function name in MySQL. Function names, like reserved words, must be enclosed in backticks to be used as a field name.

Personally, I'd say put backticks around all database, table and column names.

Using "bare" names in MySQL is akin to using bare strings in PHP. Sure, $foo = bar; will work, but it relies on bar not being a constant. Well, in MySQL, you are relying on your column names not being reserved words. Same thing. Use backticks!



标签: php mysqli
举报

收藏的人(0)

Ta的文章 更多文章
登录 后发表评论
0条评论
还没有人评论过~