[英]mysqli bind_param Number of variables doesn't match number of parameters in prepared statement
I'm getting this error:我收到此错误:
Warning: mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement警告:mysqli_stmt::bind_param():变量数与准备语句中的参数数不匹配
code:代码:
$stmt = $sql->prepare("SELECT name, site, message, `when` FROM messages WHERE message LIKE '%?%'");
$stmt->bind_param('s', $_GET['search']);
$stmt->execute();
$result = $stmt->get_result();
I'm trying to get the user input into the prepared statement.我正在尝试让用户输入准备好的语句。
This code works fine but is insecure against SQL injections:此代码工作正常但对 SQL 注入不安全:
$result = $sql->query("SELECT name, site, message, `when` FROM messages WHERE message LIKE '%" . $_GET['search'] . "%'");
When using LIKE
in a prepared statement, it's a little bit different.在准备好的语句中使用LIKE
时,有点不同。 You should add the %
to the parameter before binding it to the statement.在将参数绑定到语句之前,您应该将%
添加到参数中。
Try something like below:尝试如下所示:
$param = "%{$_GET['search']}%";
$stmt = $sql->prepare("SELECT name, site, message, `when` FROM messages WHERE message LIKE ?");
$stmt->bind_param('s', $param);
$stmt->execute();
$result = $stmt->get_result();
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.