Php 对非对象MySQLi调用成员函数bindParam()
对不起,我是SQL新手。我构建了一个表单,允许用户输入值 我试图消除SQL注入的可能性,因此在编程中采取了适当的措施 以下是我使用$POST的代码,易受SQL注入攻击:Php 对非对象MySQLi调用成员函数bindParam(),php,mysql,sql,sql-server,mysqli,Php,Mysql,Sql,Sql Server,Mysqli,对不起,我是SQL新手。我构建了一个表单,允许用户输入值 我试图消除SQL注入的可能性,因此在编程中采取了适当的措施 以下是我使用$POST的代码,易受SQL注入攻击: $dbh=mysqli_connect("localhost","root","","toplist"); // Checking the connection if (mysqli_connect_errno($dbh)) { echo "Could not connect do SQL database: " .
$dbh=mysqli_connect("localhost","root","","toplist");
// Checking the connection
if (mysqli_connect_errno($dbh))
{
echo "Could not connect do SQL database: " . mysqli_connect_error();
}
$serverip=$_POST['post_serverip'];
$serverport=$_POST['post_serverport'];
$servertitle=$_POST['post_servertitle'];
$serverdesc=$_POST['post_serverdesc'];
$serverwebsite=$_POST['post_serverwebsite'];
$listingtype=$_POST['post_listingtype'];
$query = mysqli_query($con,"INSERT INTO servers (serverip, serverport, servertitle, serverdesc, serverwebsite, listingtype) VALUES ('$serverip','$serverport','$servertitle','$serverdesc','$serverwebsite','$listingtype')");
我听说准备好的语句可以降低/禁用SQL注入的风险,所以我使用准备好的语句转换了代码:
$dbh=mysqli_connect("localhost","root","","toplist");
global $DBH;
// Checking the connection
if (mysqli_connect_errno($dbh))
{
echo "Could not connect do SQL database: " . mysqli_connect_error();
}
// Inserting input values into its respected row serverip, serverport, servertitle, serverdesc, serverwebsite, listingtype
$stmt = $dbh->prepare("INSERT INTO servers (name, value) VALUES (:serverip, :serverip, :serverport, :serverport, :server desc, :server desc, :serverwebsite, :serverwebsite, :listing type, :listing type)");
$stmt->bind_param(':post_serverip', $serverip);
$stmt->bind_param(':post_serverport', $serverport);
$stmt->bind_param(':post_servertitle', $servertitle);
$stmt->bind_param(':post_serverdesc', $serverdesc);
$stmt->bind_param(':post_serverwebsite', $serverwebsite);
$stmt->bind_param(':post_listingtype', $listingtype);
但是我得到了错误:对非对象调用成员函数bindParam()。。其他一切似乎都很好,因为这是我收到的唯一错误
我做了一些搜索,我认为错误可能是由于连接到我的数据库造成的有人确切知道这是由什么引起的吗?编辑
编号数组法
用示例帮助OP的原始答案 像这样尝试并替换
column_1
和value_1
等,以匹配您的列和变量
N.B.:如果要将单词隔开,请使用下划线而不是连字符
方法#1
或“此方法:(方法2) 不要把它们混在一起。使用其中一种。 注意:像这样保存它
$stmt->bindParam(1,$serverip)代码>等。保留1,2,3,4,5,6
,然后用$serverip
等替换$value\u x
$mysql_hostname = 'xxx';
$mysql_username = 'xxx';
$mysql_dbname = 'xxx';
$mysql_password = '';
$dbh= new PDO("mysql:host=$mysql_hostname;dbname=$mysql_dbname", $mysql_username, $mysql_password);
$stmt = $dbh->prepare("INSERT INTO servers (column_1, column_2, column_3, column_4, column_5, column_6)
VALUES (:value_1, :value_2, :value_3, :value_4, :value_5, :value_6)");
$stmt->bindParam(1, $value_1);
$stmt->bindParam(2, $value_2);
$stmt->bindParam(3, $value_3);
$stmt->bindParam(4, $value_4);
$stmt->bindParam(5, $value_5);
$stmt->bindParam(6, $value_6);
$stmt->execute(array(
':column_1' => $value_1,
':column_2' => $value_2,
':column_3' => $value_3,
':column_4' => $value_4,
':column_5' => $value_5,
':column_6' => $value_6));
嗯,在第二个代码体中,您的值肯定超过了您的binParam
。另外,您只有这两个:serverip、:serverip
的冒号,而没有其他冒号。你也在和别人混在一起,所以另一个X
对你不利bindParam
是PDO,而bind_-param
是mysqli
对于PDO连接,使用$dbh=new-PDO(“mysql:host=$mysql_-hostname;dbname=$mysql_-dbname”,“mysql_-username,$mysql_-password”)代码>不客气。您有6个bindParam
,看起来是15个值,列名中有空格或缺少逗号。如果您的列名被调用(例如)server desc
(顺便说一句,其中有两次),您需要使用反勾号来包装它。我决定使用PDO。哦,这是我的错误,假设有6个bindParams和6个值。我接受了您提供给我的PDO连接代码,但我相信我配置不正确:$dbh=new-PDO(“mysql:host=localhost;dbname=toplist”,root,);因为它不起作用。顺便说一句,数据库没有密码,所以我应该将其保留为空还是从PDO连接中删除?是的,您可以尝试删除密码参数,尽管我从来没有这样做过,但我始终使用密码。两种方法都尝试过,但两种方法都没有将值输入到我的表中。请稍等,张贴代码图片。您是否已将column_1
和value_1
等更改为您的列名和变量@Gangdoni当前代码的图片:(使用示例2)您将我的两个“不同”示例混合在一起。请注意由或此方法分隔的两个不同的代码体:
@GangDonIt-使用一个或另一个,不要两者混淆。注意,第一个以$stmt->execute()结尾代码>就这样。另一个在数组中有execute
,另外我注意到你放了$stmt->bindParam(postserverip,$serverip)
而不是保留数字(1,2,3,4,5,6)$stmt->bindParam(1,$value_1)代码>等@GangDonIt-数字序列必须保持这样,如示例2所示,这就是为什么会出现错误。保持数字不变,但将第二个参数替换为$value。
$serverip=$_POST['post_serverip'];
$serverport=$_POST['post_serverport'];
$servertitle=$_POST['post_servertitle'];
$serverdesc=$_POST['post_serverdesc'];
$serverwebsite=$_POST['post_serverwebsite'];
$listingtype=$_POST['post_listingtype'];
$mysql_hostname = 'xxx';
$mysql_username = 'xxx';
$mysql_dbname = 'xxx';
$mysql_password = '';
$dbh= new PDO("mysql:host=$mysql_hostname;dbname=$mysql_dbname", $mysql_username, $mysql_password);
$stmt = $dbh->prepare("INSERT INTO servers (serverip, serverport, servertitle, serverdesc, serverwebsite, listingtype)
VALUES (:serverip, :serverport, :servertitle, :serverdesc, :serverwebsite, :listingtype)");
$stmt->bindParam(1, $serverip);
$stmt->bindParam(2, $serverport);
$stmt->bindParam(3, $servertitle);
$stmt->bindParam(4, $serverdesc);
$stmt->bindParam(5, $serverwebsite);
$stmt->bindParam(6, $listingtype);
$stmt->execute(array(
':serverip' => $serverip,
':serverport' => $serverport,
':servertitle' => $servertitle,
':serverdesc' => $serverdesc,
':serverwebsite' => $serverwebsite,
':listingtype' => $listingtype));
$mysql_hostname = 'xxx';
$mysql_username = 'xxx';
$mysql_dbname = 'xxx';
$mysql_password = '';
$dbh= new PDO("mysql:host=$mysql_hostname;dbname=$mysql_dbname", $mysql_username, $mysql_password);
$stmt = $dbh->prepare("INSERT INTO servers (column_1, column_2, column_3, column_4, column_5, column_6)
VALUES (:value_1, :value_2, :value_3, :value_4, :value_5, :value_6)");
$stmt->bindParam(':column_1', $value_1);
$stmt->bindParam(':column_2', $value_2);
$stmt->bindParam(':column_3', $value_3);
$stmt->bindParam(':column_4', $value_4);
$stmt->bindParam(':column_5', $value_5);
$stmt->bindParam(':column_6', $value_6);
$stmt->execute();
$mysql_hostname = 'xxx';
$mysql_username = 'xxx';
$mysql_dbname = 'xxx';
$mysql_password = '';
$dbh= new PDO("mysql:host=$mysql_hostname;dbname=$mysql_dbname", $mysql_username, $mysql_password);
$stmt = $dbh->prepare("INSERT INTO servers (column_1, column_2, column_3, column_4, column_5, column_6)
VALUES (:value_1, :value_2, :value_3, :value_4, :value_5, :value_6)");
$stmt->bindParam(1, $value_1);
$stmt->bindParam(2, $value_2);
$stmt->bindParam(3, $value_3);
$stmt->bindParam(4, $value_4);
$stmt->bindParam(5, $value_5);
$stmt->bindParam(6, $value_6);
$stmt->execute(array(
':column_1' => $value_1,
':column_2' => $value_2,
':column_3' => $value_3,
':column_4' => $value_4,
':column_5' => $value_5,
':column_6' => $value_6));