Mysqli預備語句故障排除

Question

我很困惑，最近我在簡單的Mysqli語句中使用了此方法，但是被告知要避免注入，以使用准備好的語句來編寫它。 截斷是唯一起作用的方法。 有什么建議嗎？

$con=mysqli_connect(localhost,"username","password","db");


// Check connection
if (mysqli_connect_errno())
 {
 echo "Failed to connect to MySQL: " . mysqli_connect_error();
 }

$deletetable = $con->prepare('TRUNCATE TABLE twitch_streams');
$deletetable->execute();
$deletetable->close();

$result = $con->prepare("SELECT field_value
FROM xf_user_field_value
WHERE field_id = 'twitch'
AND field_value != ''");

$result->bind_result($twitchfield);

while($result->fetch())
{
printf("%s\n", $twitchfield);
$username[] = $twitchfield;
$data =    json_decode(file_get_contents('http://api.justin.tv/api/stream/l   ist.json?channel=' . $username[0]));
$viewer[] = $data[0]->channel_count;


$insert = $con->prepare("INSERT INTO twitch_streams (twitchuser, viewercount)
VALUES (?, ?)");
$insert->bind_param('si', $twitchuser, $viewercount);

$twitchuser = $username[0];
$viewercount = $viewer[0];

$insert->execute();

echo $twitchuser;
echo $viewercount;
$insert->close();
  }

$result->close();$deletetable = $con->prepare('TRUNCATE TABLE twitch_streams');
$deletetable->execute();
$deletetable->close();

$result = $con->prepare("SELECT field_value
FROM xf_user_field_value
WHERE field_id = twitch
AND field_value != ''");

$result->bind_result($twitchfield);

while($result->fetch())
  {
   printf("%s\n", $twitchfield);
   $username[] = $twitchfield;
   $data =    json_decode(file_get_contents('http://api.justin.tv/api/stream/l   ist.json?      channel=' . $username[0]));
$viewer[] = $data[0]->channel_count;


$insert = $con->prepare("INSERT INTO twitch_streams (twitchuser, viewercount)
VALUES (?, ?)");
$insert = bind_param('si', $twitchuser, $viewercount);

$twitchuser = $username[0];
$viewercount = $viewer[0];

$insert->execute();

echo $twitchuser;
echo $viewercount;
$insert->close();
  }

$result->close();
mysqli_close($con);

Answer 1

沒有函數bind_param() ，它是mysqli_stmt的方法

您可以這樣使用它：

$insert->bind_param()

在此處查看有關mysqli_stmt的更多信息