stackoom
  简体   繁体   中英

mysqli_stmt::bind_param(): Number of elements in type definition string doesn't match number of bind variables warning

 原文  2015-03-29 12:50:30       php/ sql/ sql-injection

Question

My codes for the prevention of SQL injection isn't working. Can anyone help me?

I'm receiving this warning: Warning: mysqli_stmt::bind_param(): Number of elements in type definition string doesn't match number of bind variables.

Thanks. 

$mysqli = new mysqli('localhost', 'root', '', 'Muproj');    
$query="INSERT INTO tblmember VALUES (':id', ':uname' , ':passwrd' , ':name' , ':surname' ,':0' )";
$stmt = $mysqli->prepare($query);
$stmt->bind_param(':id', $newid);
$stmt->bind_param(':uname', $C_uname);
$stmt->bind_param(':passwrd', $C_passwrd);
$stmt->bind_param(':name', $C_name);
$stmt->bind_param( ':surname', $C_surname);
$stmt->bind_param(':0', '0');
$stmt->execute();
$result=mysql_query($stmt);

1 answers

solution1
 3 ACCPTED  2015-03-29 13:36:50

you appear to be mixing PDO syntax with MySQLi syntax.

Please read up on http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers

I do not use PDO myself much, but I do use MySQLi, so your references as :something are PDO declarations, but the SQL functions you use are MySQLi.

With a MySQLi bind_param function you need to add all the data into an array-like row (it may actually be an array), but preceeded by a declaration of types, as in S tring, i nteger, D ouble and B lob.

I have rewritten your code in the MySQLi form: 

$mysqli = new mysqli('localhost', 'root', '', 'Muproj');    
$query="INSERT INTO tblmember VALUES (?, ? , ? , ? , ? ,? )";
$stmt = $mysqli->prepare($query);
$stmt->bind_param("issssi", $newid, $C_uname, $C_passwrd, $C_name, $C_surname, $zero)
$stmt->execute();
//$result=mysqli_query($stmt);

You need to do some serious research as to the differences of approach and formatting and functionality between MySQLi and PDO. Also be careful to maintain ALL your MySQL as MySQLi , as for example your $result was using the deprectated MySQL query statement.

PS: I would also suggest for clarity and forward compatibility that your INSERT statement in the SQL reads as: 

 INSERT INTO table_name (column_names1, column_name2, column_names3, ...) VALUES (?,?,?, ...)

So you and the SQL can clearly see which values are plugged into which columns.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Warning : mysqli_stmt::bind_param(): Number of elements in type definition string doesn’t match number of bind variables mysqli_stmt::bind_param(): Number of elements in type definition string doesn't match number of bind variables mysqli_stmt::bind_param(): Number of elements in type definition string doesn't match number of bind variables using array SQL error :mysqli_stmt::bind_param(): Number of elements in type definition string doesn't match number of bind variables Error: mysqli_stmt::bind_param(): Number of elements in type definition string doesn't match number of bind variables mysqli_stmt::bind_param()Number of elements in type definition string doesn't match number PHP Warning: mysqli_stmt::bind_param(): Number of elements in type definition string doesn't match number Warning: mysqli_stmt::bind_param() Number of variables doesn't match number of parameters in prepared statement Mysqli error with bind_param(): Number of elements in type definition string doesn't match number of bind variables Mysqli:mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM