使用bindValue的准备好的语句不起作用 [英] prepared statement using bindValue not working

问题描述

我是PHP的新手，我正在尝试准备一个准备好的语句.它是我在大学的最后一年的项目，我记得读过，准备好的语句是很好的实践，也适合SQL注入.但是，以下代码给了我Server 500错误.

I'm new to PHP and I'm trying to get a prepared statement to work. Its for my final year project at university and I remember reading that prepared statements are good practice and also good for SQL injections. However the following code gives me a Server 500 error.

<?php
    $email = "blah@blah.co.uk";
    $hash = "somerandomhashedpassword";
    $db = new mysqli("localhost", "root", "1234", "UEAnetwork");    
    $sql = "INSERT INTO Students (Email, Password) VALUES (?,?)";
    $stmt = $db->prepare($sql);
    $stmt->bindValue(1, $email);
    $stmt->bindValue(2, $hash);           
    if ($stmt->execute()) {
        echo "You have registered!!!!!!!!!!!!!!!!!!!!!!!!!!!!";
    }
?>

如果运行以下命令，则会插入一行，因此，我很确定自己已正确连接到数据库.

If I run the following then a row is inserted, so I'm pretty sure I'm connecting to the database properly.

<?php
    $db = new mysqli("localhost", "root", "1234", "UEAnetwork");    
    $sql = "INSERT INTO Students (Email, Password) VALUES ('blah@blah.co.uk','somerandomhashedpassword')";
    $stmt = $db->prepare($sql);         
    if ($stmt->execute()) {
        echo "You have registered!!!!!!!!!!!!!!!!!!!!!!!!!!!!";
    }
?>

我错误地使用了bindValue吗?我已经在许多在线教程中看到它是通过这种方式使用的，但是我一定做错了事.

Am I using bindValue incorrectly? I've seen it used this way in many tutorials online but I must be doing something wrong.

推荐答案

mysqli具有与PDO完全不同的API.没有mysql_stmt::bindValue.您想使用mysql_stmt::bind_param，但是语法却大不相同:

mysqli has a very different API than PDO. There is no mysql_stmt::bindValue. You want to use mysql_stmt::bind_param, but the syntax is quite different:

$stmt->bind_param('ss', $email, $hash);

这篇关于使用bindValue的准备好的语句不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！