mysqli 没有保存到我的数据库 [英] mysqli does not save to my database

问题描述

我需要有关运行 MySQL 的 PHP 代码的帮助.

I need help in my PHP code running MySQL.

对于我在 MySQL 中的存储过程，我有以下内容:

For my stored procedure in MySQL, I have the following:

create procedure register ( out userid              int
                           ,in username             varchar(30)
                           ,in unencryptedpassword  varchar(100)
                           ,in description          varchar(100)
                           ,in emailaddress         varchar(100) )
begin
  declare salt char(25);
  declare createdById int;
  declare createdDate datetime;
  declare lastUpdatedById int;
  declare lastUpdatedDate datetime;
  set salt = 'abcdefghijklmnopqrstuvwxy';
  set createdById = -1;
  set createdDate = now();
  set lastUpdatedById = -1;
  set lastUpdatedDate = now();
  insert into Users ( userId
                    , userName
                    , encryptedPassword
                    , description
                    , emailAddress
                    , createdById
                    , createdDate
                    , lastUpdatedById
                    , lastUpdatedDate ) 
             values ( null
                    , username
                    , password(concat(username, salt, unencryptedpassword))
                    , description
                    , emailAddress
                    , createdById
                    , createdDate
                    , lastUpdatedById
                    , lastUpdatedDate );
  set userid = last_insert_id();
  commit;
end;
/

对于我的 register.php 页面，我有以下内容:

For my register.php page, I have the following:

<?php
$host="localhost";
$db="mydb";
$uname="myuser";
$pword="mypass";

$firstname=$_POST["firstname"];
$lastname=$_POST["lastname"];
$emailaddress=$_POST["emailaddress"];
$newpassword=$_POST["newpassword"];

$mysqli = new mysqli( $host, $uname, $pword, $db );
$res = $mysqli->multi_query( "call register(@userid,$emailaddress,$newpassword,$firstname,$emailaddress)" );
$mysqli->close();

$_SESSION["sessionId"] = 1;
?>

问题是它永远不会被插入到我的数据库中.谁能帮我解决这个问题.

Problem is it never gets inserted into my database. Can anyone help me with this.

谢谢.

推荐答案

您使用 multi_query 的任何原因?您只是在执行一个呼叫"查询.而且它充满了 SQL 注入漏洞，因为您没有转义从 _POST 数组中提取的这 4 个值中的任何一个.

Any reason you're using multi_query? You're only executing the one 'call' query. And it's chock full of SQL injection vulnerabilities, since you're not escaping any of those 4 values you pull from the _POST array.

mysql_multi_query 返回布尔值 FALSE.你应该检查 $res :

mysql_multi_query returns boolean FALSE if the first query in the call fails. You should check $res for that:

$res = $mysqli->multi_query(...);
if ($res === FALSE) {
   die("Mysql error: " . $mysqli->error);
}

这篇关于mysqli 没有保存到我的数据库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！