MYSQLI准备的语句bind_param类型不起作用 [英] MYSQLI prepared statement bind_param types does not work

问题描述

多年以来，我一直在使用准备好的插入语句，并假定它正确地绑定了参数或会出现错误，但似乎不像下面的php那样绑定并插入记录而没有任何错误，而是更改了应该为int的字符串到零.因此，可以防止SQL注入攻击，但是最终会在表中产生虚假记录.例如:

I have been using prepared insert statements for some years and assumed it was binding parameters properly or would give an error but it seems not as the following php binds and inserts a record without any errors but changes a string which should be an int to a zero. So it may be ok for preventing SQL injection attacks but you would end up with a spurious record in the table. e.g.:

    $q = "INSERT INTO `table` (id1, id2) VALUES (?, ?)";
    $stmt = mysqli_stmt_init($dbc);
    $stmt->prepare($q);
    $id1 = 'aaaaaaa';
    $id2= 'aaaaaaa';
    $result = $stmt->bind_param('ii', $id1, $id2);
    echo '<p>' . $result . '</p>'; // Trying to bind a string to an int returns true! 
    echo $dbc->error; // nothing
    $stmt->execute(); // inserts record changing $id2 to zero but auto-increments primary key $id1
    echo $dbc->error; // nothing

此文件在具有Apache/2.2.14，PHP/5.3.1和MySQL 5.1.41的Xampp环境中运行.谁能告诉我发生了什么事?

This is running in an Xampp environment with Apache/2.2.14, PHP/5.3.1 and MySQL 5.1.41. Can anyone tell me what is going on?

推荐答案

我不是专家，但是乍一看. 你有:

I'm not an expert for sure, but at first look. You have:

$id1 = 'aaaaaaa';
$id2= 'aaaaaaa';
$result = $stmt->bind_param('ii', $id1, $id2);

事情是您的'ii'参数表明您将绑定整数！实际上，您的$id1和$id2是字符串.对于字符串，您应该使用:

Thing is your 'ii' parameter says that you will be binding integers! And in fact your $id1 and $id2 are strings. For strings you should go with:

$result = $stmt->bind_param('ss', $id1, $id2);

这篇关于MYSQLI准备的语句bind_param类型不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！