[英]bind_param error - Number of elements in type definition string doesn't match number of bind variables
I have an array that I am preparing for a SQL query, so following the steps to make it secure as possible.我有一个准备用于 SQL 查询的数组,因此请按照以下步骤操作以使其尽可能安全。 Attempting the following:
尝试以下操作:
First I implode the array - I want the string result to come out as 'string1','string2','string3' and so on:首先,我内爆数组 - 我希望字符串结果显示为 'string1'、'string2'、'string3' 等等:
$in = "'" . implode("','", array_fill(0, count($finalArray), '?')) . "'";
I make my query:我提出我的查询:
$query = <<<SQL
UPDATE products SET `Status` = 'Reserved' WHERE `SerialNumber` in ($in);
SQL;
$query = <<<SQL
And prepare the statement variable:并准备语句变量:
$statement = $mysqli->prepare($query);
Then I attempt a bind_param with str_repeat, and this is where things go wrong:然后我尝试使用 str_repeat 使用 bind_param,这就是出错的地方:
$statement->bind_param(str_repeat('\'s\',', count($finalArray)), ...$finalArray);
I get:我得到:
mysqli_stmt::bind_param(): Number of elements in type definition string doesn't match number of bind variables
mysqli_stmt::bind_param(): 类型定义字符串中的元素数与绑定变量数不匹配
Does anyone know why I am getting this and how I can resolve it?有谁知道我为什么会得到这个以及我如何解决它?
Looking at your dynamic creating of your placeholders:查看您对占位符的动态创建:
$in = "'" . implode("','", array_fill(0, count($finalArray), '?')) . "'";
So seem to have creating them with '
quotations.所以似乎用
'
引号创建它们。 Placeholders do not need quotations.占位符不需要引号。
$in = implode(',', array_fill(0, count($finalArray), '?'));
$query = "UPDATE products SET Status = 'Reserved' WHERE SerialNumber IN ($in)";
$statement = $mysqli->prepare($query);
Then, in assigning types, you don't need them quoted also:然后,在分配类型时,您也不需要引用它们:
$statement->bind_param(str_repeat('s', count($finalArray)), $finalArray);
Sidenote: Take note that you'll also having to dynamically call bind_param
thru call_user_func_array()
since you're going to use an array.旁注:请注意,您还必须通过
call_user_func_array()
动态调用bind_param
因为您将使用数组。 This part discusses it thoroughly .这部分讨论得很透彻。
Though I'd suggest/prefer to use PDO's ->execute()
:虽然我建议/更喜欢使用 PDO 的
->execute()
:
$pdo = new PDO('mysql:host=localhost;dbname=DATABASE NAME', 'username', 'password');
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$in = implode(',', array_fill(0, count($finalArray), '?'));
$query = "UPDATE products SET Status = 'Reserved' WHERE SerialNumber IN ($in)";
$statement = $pdo->prepare($query);
$statement->execute($finalArray);
Another way with using Reflection
:另一种使用
Reflection
:
$in = implode(',', array_fill(0, count($finalArray), '?'));
$type = str_repeat('s', count($finalArray));
$query = "UPDATE products SET Status = 'Reserved' WHERE SerialNumber IN ($in)";
$statement = $mysqli->prepare($query);
$ref = new ReflectionClass('mysqli_stmt');
$method = $ref->getMethod('bind_param');
array_unshift($finalArray, $type); // prepend the 'sss' inside
$method->invokeArgs($statement, $finalArray);
$statement->execute();
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.