我正在尝试将mysqli代码嵌入到我的网页中,以便我可以消除sql注入。以下是我的代码现在的样子:
$gYear = $_POST["year"];
$gYear2 = $_POST["year2"];
$gMonth = $_POST["month"];
$gSelect = $_POST["location"];
$query = $conn->prepare("SELECT $gSelect, Year FROM unemployed WHERE year BETWEEN '$gYear' AND '$gYear2' and month='$gMonth'");
$query->bind_param('ssss', $gyear, $gYear2, $gMonth, $gSelect);
$query->execute();
$result = $query->get_result();
while ($row = $result->fetch_object()){
// do something with gathered rows
}
现在,提交表单后,我收到两个错误。这是他们所说的:
Warning: mysqli_stmt::bind_param() [mysqli-stmt.bind-param]: Number of variables doesn't match number of parameters in prepared statement in
和
Fatal error: Call to undefined method mysqli_stmt::get_result() in
我真的不知道我的问题是什么。我试图遵循How can I prevent SQL injection in PHP?中列出的规则。有谁知道我的问题是什么?为什么我收到这两条错误消息?任何帮助将不胜感激。
答案 0 :(得分:0)
对于mysqli::prepare(),您必须使用?作为参数。 (帖子中的代码使用标准PHP 变量替换到字符串中 - 使用占位符时不应对值进行此操作。)
我强烈建议不要让用户选择您选择的列。使用switch()或类似的东西在代码中选择列名,并将其放在$ column变量中。
switch($_POST['location']){
case "loc1":
$column = "location_one";
break;
case "loc2":
$column = "location_two";
break;
// etc, etc...
}
$query = $conn->prepare("SELECT $column, year FROM unemployed WHERE year BETWEEN ? AND ? and month=?");
$query->bind_param('sss', $gyear, $gYear2, $gMonth);
答案 1 :(得分:0)
您可以使用PDO来阻止sql注入,它也适用于> = PHP 5.1
PDO and the PDO_SQLITE driver is enabled by default as of PHP 5.1.0. You may need to
enable the PDO driver for your database of choice;consult the documentation for
database-specific PDO drivers to find out more about that.
它使用最广泛,如果您知道如何使用mysqli,那么它也很容易