堆栈内存溢出
  简体   繁体   English

mysqli bind_param 变量数与准备语句中的参数数不匹配

[英]mysqli bind_param Number of variables doesn't match number of parameters in prepared statement

 原文  2018-12-12 08:21:07       php/ mysql/ mysqli/ sql-injection

问题描述

I'm getting this error:我收到此错误:

Warning: mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement警告:mysqli_stmt::bind_param():变量数与准备语句中的参数数不匹配

code:代码:

$stmt = $sql->prepare("SELECT name, site, message, `when` FROM messages WHERE message LIKE '%?%'");
$stmt->bind_param('s', $_GET['search']);
$stmt->execute();
$result = $stmt->get_result();

I'm trying to get the user input into the prepared statement.我正在尝试让用户输入准备好的语句。

This code works fine but is insecure against SQL injections:此代码工作正常但对 SQL 注入不安全:

$result = $sql->query("SELECT name, site, message, `when` FROM messages WHERE message LIKE '%" . $_GET['search'] . "%'");

1 个解决方案

解决方案1
 1 已采纳  2018-12-12 08:24:57

When using LIKE in a prepared statement, it's a little bit different.在准备好的语句中使用LIKE时,有点不同。 You should add the % to the parameter before binding it to the statement.在将参数绑定到语句之前,您应该将%添加到参数中。

Try something like below:尝试如下所示:

$param = "%{$_GET['search']}%";
$stmt = $sql->prepare("SELECT name, site, message, `when` FROM messages WHERE message LIKE ?");
$stmt->bind_param('s', $param);
$stmt->execute();
$result = $stmt->get_result();

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Mysqli:mysqli_stmt :: bind_param():变量数与准备好的语句中的参数数不匹配 - Mysqli:mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement 警告:mysqli_stmt :: bind_param()变量数与准备好的语句中的参数数不匹配 - Warning: mysqli_stmt::bind_param() Number of variables doesn't match number of parameters in prepared statement mysqli_stmt :: bind_param():变量数与准备好的语句中的参数数不匹配 - mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement mysqli_stmt :: bind_param():变量数量与php中准备好的语句中的参数数量不匹配 - mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement in php mysqli_stmt :: bind_param变量数与准备好的语句中的参数数不匹配 - mysqli_stmt::bind_param Number of variables doesn't match number of parameters in prepared statement MySQLi 警告:mysqli_stmt::bind_param():变量数与准备语句中的参数数不匹配 - MySQLi Warning: mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement in PHP 警告:mysqli_stmt::bind_param():变量数与准备好的语句中的参数数不匹配 - PHP Warning: mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement mysqli_stmt :: bind_param():第64行上已准备好的语句中的变量数量与参数数量不匹配 - mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement on line 64 (PHP)警告:mysqli_stmt :: bind_param():变量数与准备好的语句中的参数数不匹配 - (PHP) Warning: mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement 警告:mysqli_stmt::bind_param():变量数与 C:\User..\ on 148 中准备好的语句中的参数数不匹配 - Warning: mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement in C:\User..\ on 148
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM