Question

我试图将表格中输入的数据插入带有php的MySQL数据库，用于学校项目。

如果找到了几个例子，但无法让它们发挥作用。我没有参数化查询就做到了，它运行正常。代码看起来像这样

$user_firstName = $_POST['firstName'];
$user_lastName = $_POST['lastName'];
$user_receiveTexts = "true";                 
$user_mobileNumber = $_POST['mobileNumber'];
$user_receiveNewsletter = $_POST['receiveNewsletter'];
$user_email = $_POST['email'];

if(isset($_POST['submit'])) {
   $sql = "INSERT INTO subscribers (firstName, lastName, receiveTexts, mobileNumber, receiveNewsletter, email)
   VALUES ('$user_firstName', '$user_lastName', '$user_receiveTexts', '$user_mobileNumber', '$user_receiveNewsletter', '$user_email' )";

然后我尝试将其更改为使用参数化查询/预处理语句，但无法真正实现它。

$sql = "INSERT INTO subscribers (firstName, lastName, receiveTexts, mobileNumber, receiveNewsletter, email) VALUES (?, ?, ?, ?, ?, ?)";
$stmt = $mysqli->prepare($sql);

$stmt->bind_param($val1, $val2, $val3, $val4, $val5, $val6);

$val1 = $user_firstName;
$val2 = $user_lastName;
$val3 = "true";
$val4 = $user_mobileNumber;
$val5 = $user_receiveNewsletter;
$val6 = $user_email;

$stmt->execute();

我真的只想防止SQL注入:) 任何帮助表示赞赏。感谢

Answer 1

你错过了bind_param的第一个参数，这个字符串表示哪个参数是字符串或整数。

$stmt->bind_param('ssssss', $val1, $val2, $val3, $val4, $val5, $val6);

参数化查询PHP插入

1 个答案: