在学习了PHP和MySQL的基础知识之后,我现在正在学习如何使用预准备语句来防止SQL注入攻击.我有以下代码:
for ($i = 0; $i < $delegateno ;$i++){ $q = "INSERT INTO delegates (delegate_id,booker_name, booker_email, booker_tel, booker_company, delegate_name, delegate_email, delegate_tel) VALUES (NULL, ?, ?, ?, ?, ?, ?, ? )";//Insert delegate information into delegate tables $stmt = mysqli_query($dbc, $q); mysqli_stmt_bind_param($stmt,'sssssss', $fullname, $email, $tel, $company,$delegatename[$i],$delegateemail[$i],$delegatetel[$i]); mysqli_stmt_execute($stmt); }
但是,这会引发:
Notice: Query: INSERT INTO delegates (delegate_id,booker_name, booker_email, booker_tel, booker_company, delegate_name, delegate_email, delegate_tel) VALUES (NULL, ?, ?, ?, ?, ?, ?, ? ) MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?, ?, ?, ?, ?, ?, ? )'
我究竟做错了什么?
因为您正在执行包含占位符的原始查询.您需要先prepare()
查询.
这是它(通常)的方式:prepare
- > bind_param
- > execute
- > fetch
.
更改:
$stmt = mysqli_query($dbc, $q);
至:
$stmt = mysqli_prepare($dbc, $q);