Php 对非对象MySQLi调用成员函数bindParam()
对不起,我是SQL新手。我构建了一个表单,允许用户输入值 我试图消除SQL注入的可能性,因此在编程中采取了适当的措施 以下是我使用$POST的代码,易受SQL注入攻击:Php 对非对象MySQLi调用成员函数bindParam(),php,mysql,sql,sql-server,mysqli,Php,Mysql,Sql,Sql Server,Mysqli,对不起,我是SQL新手。我构建了一个表单,允许用户输入值 我试图消除SQL注入的可能性,因此在编程中采取了适当的措施 以下是我使用$POST的代码,易受SQL注入攻击: $dbh=mysqli_connect("localhost","root","","toplist"); // Checking the connection if (mysqli_connect_errno($dbh)) { echo "Could not connect do SQL database: " .
$dbh=mysqli_connect("localhost","root","","toplist");
// Checking the connection
if (mysqli_connect_errno($dbh))
{
echo "Could not connect do SQL database: " . mysqli_connect_error();
}
$serverip=$_POST['post_serverip'];
$serverport=$_POST['post_serverport'];
$servertitle=$_POST['post_servertitle'];
$serverdesc=$_POST['post_serverdesc'];
$serverwebsite=$_POST['post_serverwebsite'];
$listingtype=$_POST['post_listingtype'];
$query = mysqli_query($con,"INSERT INTO servers (serverip, serverport, servertitle, serverdesc, serverwebsite, listingtype) VALUES ('$serverip','$serverport','$servertitle','$serverdesc','$serverwebsite','$listingtype')");
$dbh=mysqli_connect("localhost","root","","toplist");
global $DBH;
// Checking the connection
if (mysqli_connect_errno($dbh))
{
echo "Could not connect do SQL database: " . mysqli_connect_error();
}
// Inserting input values into its respected row serverip, serverport, servertitle, serverdesc, serverwebsite, listingtype
$stmt = $dbh->prepare("INSERT INTO servers (name, value) VALUES (:serverip, :serverip, :serverport, :serverport, :server desc, :server desc, :serverwebsite, :serverwebsite, :listing type, :listing type)");
$stmt->bind_param(':post_serverip', $serverip);
$stmt->bind_param(':post_serverport', $serverport);
$stmt->bind_param(':post_servertitle', $servertitle);
$stmt->bind_param(':post_serverdesc', $serverdesc);
$stmt->bind_param(':post_serverwebsite', $serverwebsite);
$stmt->bind_param(':post_listingtype', $listingtype);
编号数组法
用示例帮助OP的原始答案 像这样尝试并替换
column_1value_1或“此方法:(方法2) 不要把它们混在一起。使用其中一种。 注意:像这样保存它
$stmt->bindParam(1,$serverip)等。保留1,2,3,4,5,6
,然后用$serverip
等替换$value\u x
$mysql_hostname = 'xxx';
$mysql_username = 'xxx';
$mysql_dbname = 'xxx';
$mysql_password = '';
$dbh= new PDO("mysql:host=$mysql_hostname;dbname=$mysql_dbname", $mysql_username, $mysql_password);
$stmt = $dbh->prepare("INSERT INTO servers (column_1, column_2, column_3, column_4, column_5, column_6)
VALUES (:value_1, :value_2, :value_3, :value_4, :value_5, :value_6)");
$stmt->bindParam(1, $value_1);
$stmt->bindParam(2, $value_2);
$stmt->bindParam(3, $value_3);
$stmt->bindParam(4, $value_4);
$stmt->bindParam(5, $value_5);
$stmt->bindParam(6, $value_6);
$stmt->execute(array(
':column_1' => $value_1,
':column_2' => $value_2,
':column_3' => $value_3,
':column_4' => $value_4,
':column_5' => $value_5,
':column_6' => $value_6));
嗯,在第二个代码体中,您的值肯定超过了您的binParam
。另外,您只有这两个:serverip、:serverip
的冒号,而没有其他冒号。你也在和别人混在一起,所以另一个X
对你不利bindParam
是PDO,而bind_-param
是mysqli
对于PDO连接,使用$dbh=new-PDO(“mysql:host=$mysql_-hostname;dbname=$mysql_-dbname”,“mysql_-username,$mysql_-password”)不客气。您有6个bindParam
,看起来是15个值,列名中有空格或缺少逗号。如果您的列名被调用(例如)server desc
(顺便说一句,其中有两次),您需要使用反勾号来包装它。我决定使用PDO。哦,这是我的错误,假设有6个bindParams和6个值。我接受了您提供给我的PDO连接代码,但我相信我配置不正确:$dbh=new-PDO(“mysql:host=localhost;dbname=toplist”,root,);因为它不起作用。顺便说一句,数据库没有密码,所以我应该将其保留为空还是从PDO连接中删除?是的,您可以尝试删除密码参数,尽管我从来没有这样做过,但我始终使用密码。两种方法都尝试过,但两种方法都没有将值输入到我的表中。请稍等,张贴代码图片。您是否已将column_1
和value_1
等更改为您的列名和变量@Gangdoni当前代码的图片:(使用示例2)您将我的两个“不同”示例混合在一起。请注意由或此方法分隔的两个不同的代码体:
@GangDonIt-使用一个或另一个,不要两者混淆。注意,第一个以$stmt->execute()结尾就这样。另一个在数组中有execute
,另外我注意到你放了$stmt->bindParam(postserverip,$serverip)
而不是保留数字(1,2,3,4,5,6)$stmt->bindParam(1,$value_1)等@GangDonIt-数字序列必须保持这样,如示例2所示,这就是为什么会出现错误。保持数字不变,但将第二个参数替换为$value。
$serverip=$_POST['post_serverip'];
$serverport=$_POST['post_serverport'];
$servertitle=$_POST['post_servertitle'];
$serverdesc=$_POST['post_serverdesc'];
$serverwebsite=$_POST['post_serverwebsite'];
$listingtype=$_POST['post_listingtype'];
$mysql_hostname = 'xxx';
$mysql_username = 'xxx';
$mysql_dbname = 'xxx';
$mysql_password = '';
$dbh= new PDO("mysql:host=$mysql_hostname;dbname=$mysql_dbname", $mysql_username, $mysql_password);
$stmt = $dbh->prepare("INSERT INTO servers (serverip, serverport, servertitle, serverdesc, serverwebsite, listingtype)
VALUES (:serverip, :serverport, :servertitle, :serverdesc, :serverwebsite, :listingtype)");
$stmt->bindParam(1, $serverip);
$stmt->bindParam(2, $serverport);
$stmt->bindParam(3, $servertitle);
$stmt->bindParam(4, $serverdesc);
$stmt->bindParam(5, $serverwebsite);
$stmt->bindParam(6, $listingtype);
$stmt->execute(array(
':serverip' => $serverip,
':serverport' => $serverport,
':servertitle' => $servertitle,
':serverdesc' => $serverdesc,
':serverwebsite' => $serverwebsite,
':listingtype' => $listingtype));
$mysql_hostname = 'xxx';
$mysql_username = 'xxx';
$mysql_dbname = 'xxx';
$mysql_password = '';
$dbh= new PDO("mysql:host=$mysql_hostname;dbname=$mysql_dbname", $mysql_username, $mysql_password);
$stmt = $dbh->prepare("INSERT INTO servers (column_1, column_2, column_3, column_4, column_5, column_6)
VALUES (:value_1, :value_2, :value_3, :value_4, :value_5, :value_6)");
$stmt->bindParam(':column_1', $value_1);
$stmt->bindParam(':column_2', $value_2);
$stmt->bindParam(':column_3', $value_3);
$stmt->bindParam(':column_4', $value_4);
$stmt->bindParam(':column_5', $value_5);
$stmt->bindParam(':column_6', $value_6);
$stmt->execute();
$mysql_hostname = 'xxx';
$mysql_username = 'xxx';
$mysql_dbname = 'xxx';
$mysql_password = '';
$dbh= new PDO("mysql:host=$mysql_hostname;dbname=$mysql_dbname", $mysql_username, $mysql_password);
$stmt = $dbh->prepare("INSERT INTO servers (column_1, column_2, column_3, column_4, column_5, column_6)
VALUES (:value_1, :value_2, :value_3, :value_4, :value_5, :value_6)");
$stmt->bindParam(1, $value_1);
$stmt->bindParam(2, $value_2);
$stmt->bindParam(3, $value_3);
$stmt->bindParam(4, $value_4);
$stmt->bindParam(5, $value_5);
$stmt->bindParam(6, $value_6);
$stmt->execute(array(
':column_1' => $value_1,
':column_2' => $value_2,
':column_3' => $value_3,
':column_4' => $value_4,
':column_5' => $value_5,
':column_6' => $value_6));