0
瞭解了PHP和MySQL的基礎知識後,我現在學習如何使用預準備語句來防範SQL注入攻擊。我有以下代碼:爲什麼這個準備好的語句會拋出一個錯誤?
for ($i = 0; $i < $delegateno ;$i++){
$q = "INSERT INTO delegates (delegate_id,booker_name, booker_email, booker_tel, booker_company, delegate_name, delegate_email, delegate_tel) VALUES (NULL, ?, ?, ?, ?, ?, ?, ?)";//Insert delegate information into delegate tables
$stmt = mysqli_query($dbc, $q);
mysqli_stmt_bind_param($stmt,'sssssss', $fullname, $email, $tel, $company,$delegatename[$i],$delegateemail[$i],$delegatetel[$i]);
mysqli_stmt_execute($stmt);
}
然而,這將引發:
Notice: Query: INSERT INTO delegates (delegate_id,booker_name, booker_email, booker_tel, booker_company, delegate_name, delegate_email, delegate_tel) VALUES (NULL, ?, ?, ?, ?, ?, ?, ?)
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?, ?, ?, ?, ?, ?, ?)'
我在做什麼錯?
爲什麼你如果空反正設定delegate_id?和$ stmt後,你必須使用$ stmt-> bind_param()不是嗎?即時通訊使用[的PDO類](http://php.net/manual/de/book.pdo.php)來管理我的mysql – Dwza
我想我加入了它的情況下,當我還在處理查詢。如果你使用的是面向對象的風格或者PDO,你可以使用 - > bind_param(),但是我相信mysqli是這樣做的。 – ElendilTheTall