PHP 准备语句 - 查询返回 true,但它没有在 sql 表中更新
Posted
技术标签:
【中文标题】PHP 准备语句 - 查询返回 true,但它没有在 sql 表中更新【英文标题】:PHP Prepare Statements - Query returns true but it is not updating in sql table 【发布时间】:2013-04-05 12:55:29 【问题描述】:我正在尝试学习如何通过 SQL 注入使我的 php 代码更安全,并且目前正在尝试准备好的语句,但我在完成这项工作时遇到了一些麻烦。我被抛出以下错误:
Fatal error: Call to a member function prepare() on a non-object in /Applications/XAMPP/xamppfiles/htdocs/Zaptube/classes/class.Article.inc on line 59
但是在收到此错误后,我将 if 语句从
$stmt = $mysqli->prepare
到
$stmt = $this->mysqli->prepare
这将语句返回为 true,但实际上并没有更新 sql 表。 我不完全确定我哪里出错了。
以下是我完整使用的代码,欢迎任何帮助。
class.Article.inc
public function insert ($field)
if ($stmt = $mysqli->prepare("INSERT INTO articles (section, author, title, story, date_created, genre, youtubeid) values (?, ?, ?, ?, ?, ?, ?)"))
/* Bind our params */
$stmt->bind_param('sssssss', $section, $author, $title, $story, $date_created, $genre, $youtubeid);
/* Set our params */
$obj->section = $_POST['section'];
$obj->author = $_POST['author'];
$obj->title = $_POST['title'];
$obj->story = $_POST['story'];
$obj->date_created = $_POST['date'];
$obj->genre = $_POST['genre'];
$obj->youtubeid = $_POST['youtubeid'];
/* Execute the prepared Statement */
$stmt->execute();
/* Echo results */
echo "Inserted $lastName,$firstName into database\n";
/* Execute second Query */
$stmt->execute();
echo "Inserted $title into database\n";
/* Close the statement */
$stmt->close();
else
/* Error */
printf("Prepared Statement Error: %s\n", $mysqli->error);
插入.php
<?php
$obj = new Article();
if(isset($_POST['submit']))
$fields = array(
'section' => array('required' => True),
'author' => array('required' => True),
'title' => array('required' => True),
'story' => array('required' => True),
'date_created' => array('required' => True),
'genre'=> array('required' => True),
'youtubeid' => array('required' => True),
);
// We will check ALL fields, and store here any missing ones
$missing = array();
foreach($fields as $field => $definition)
if (!empty($_POST[$field]))
$obj->section = $_POST['section'];
$obj->author = $_POST['author'];
$obj->title = $_POST['title'];
$obj->story = $_POST['story'];
$obj->date_created = $_POST['date'];
$obj->genre = $_POST['genre'];
$obj->youtubeid = $_POST['youtubeid'];
// We store the content in the object
$obj->$field = $_POST[$field];
else
// Field is required? If so, its lack is an error
if (True === $definition['required'])
$missing[] = $field;
if (!empty($missing))
echo "Sorry, field(s) missing: " . implode(',', $missing);
else
$obj->insert($field);
?>
<div id="mainContent">
<br/>
<div id="insertform"> <!-- Insert Form Div -->
<div id="formWrap">
<h2>Add a New Article</h2>
<div id="form">
<form action="insert.php" method="post" name="insert" id="comments_form">
<div class="row">
<div class="label">Picture</div>
<div class="input">
<input type="file" name="fileField" id="fileField" class="detail" />
</div> <!-- end input -->
<div class="context"></div> <!-- end context -->
</div> <!-- end .row -->
<div class="row">
<div class="label">Section</div>
<div class="input">
<select name="section" id="section" class="detail">
<?php
$sections = array("Game", "Movie", "Music", "Tv", "Sport");
foreach ($sections as $section)
echo "<option value='$section'>$section</option>";
?> </select>
</div> <!-- end input -->
<div class="context"> What are you writing about today? e.g. Movie </div> <!-- end context -->
</div> <!-- end .row -->
<div class="row">
<div class="label">Author</div>
<div class="input">
<input type="input" name="author" id="author" class="detail"/>
</div> <!-- end input -->
<div class="context"> e.g. John Smith </div> <!-- end context -->
</div> <!-- end .row -->
<div class="row">
<div class="label">Title</div>
<div class="input">
<input type="input" name="title" id="title" class="detail"/>
</div> <!-- end input -->
<div class="context"> e.g. X-Men Wolverine trailer </div> <!-- end context -->
</div> <!-- end .row -->
<div class="row">
<div class="label">Article</div>
<div class="input">
<textarea name="story" id="story" class="detail"></textarea>
</div> <!-- end input -->
<div class="context"> </div> <!-- end context -->
</div> <!-- end .row -->
<div class="row">
<div class="label">Date</div>
<div class="input">
<? $today = date("l j M Y"); // Monday 13 April 2013 ?>
<input type="input" name="date_created" id="date_created" class="detail" value="<? echo $today;?>" />
</div> <!-- end input -->
<div class="context"> e.g. Monday 1st January 2013 </div> <!-- end context -->
</div> <!-- end .row -->
<div class="row">
<div class="label">Genre</div>
<div class="input">
<input type="input" name="genre" class="detail" id="genre" />
</div> <!-- end input -->
<div class="context"> e.g. Movie = Action, Music = Hip Hop Etc. </div> <!-- end context -->
</div> <!-- end .row -->
<div class="row">
<div class="label">Youtube Id</div>
<div class="input">
<input type="input" name="youtubeid" class="detail" id="youtubeid" />
</div> <!-- end input -->
<div class="context"> e.g. "oRT_JtSaRHg" please copy the value after "=?" from the youtube URL.</div> <!-- end context -->
</div> <!-- end .row -->
<input type="submit" id="submit" name="submit" value="Submit Message" />
<div class="submit"> </div> <!-- end submit -->
</form>
</div> <!-- end form -->
</div> <!-- end form wrapper -->
</div>
【问题讨论】:
您绑定参数,但您将值分配给 $obj ...我看不到那里的连接。我认为您的错误是您没有将数据绑定到参数。 php.net/manual/en/pdo.prepare.php 【参考方案1】:/* Set our params */
$section = $_POST['section'];
$author = $_POST['author'];
$title = $_POST['title'];
$story = $_POST['story'];
$date_created = $_POST['date'];
$genre = $_POST['genre'];
$youtubeid = $_POST['youtubeid'];
试试这个或至少将 $obj 的数据分配给您的参数变量。
【讨论】:
【参考方案2】:public function insert ($field)
if ($stmt = $mysqli->prepare("INSERT INTO articles (section, author, title, story, date_created, genre, youtubeid) values (?, ?, ?, ?, ?, ?, ?)"))
使用此代码将不起作用。 insert() 方法中没有任何地方是 $mysqli 定义的,所以你的 ENTIRE 数据库链是没有意义的——你使用的是一个未定义的局部变量,因此从现在开始的所有数据库东西都是没有意义的,例如你有相当于
$stmt = null->prepare(....);
这就是$this->mysqli 让事情开始“工作”的原因。您开始使用 REAL 数据库句柄,准备/执行开始工作。
如果没有行被更新,那不是 PHP 的问题——您以某种方式错误地编写了查询语句。但是您对查询调用绝对没有错误处理,因此您只是盲目地假设成功。这不是编写代码的好方法。始终检查故障。例如
$stmt = $this->mysqli->prepare(...) or die($this->mysqli->error);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
【讨论】:
以上是关于PHP 准备语句 - 查询返回 true,但它没有在 sql 表中更新的主要内容,如果未能解决你的问题,请参考以下文章