我正在尝试学习如何从 SQL 注入中使我的 PHP 代码更安全,并且目前正在尝试准备好的语句,但我在完成这项工作时遇到了一些麻烦。我被抛出以下错误:
Fatal error: Call to a member function prepare() on a non-object in /Applications/XAMPP/xamppfiles/htdocs/Zaptube/classes/class.Article.inc on line 59
但是在收到此错误后,我将 if 语句从
$stmt = $mysqli->prepare
至
$stmt = $this->mysqli->prepare
这将语句返回为 true,但它实际上并没有更新 sql 表。我不完全确定我哪里出错了。
以下是我完整使用的代码,欢迎任何帮助。
类.Article.inc
public function insert ($field) {
if ($stmt = $mysqli->prepare("INSERT INTO articles (section, author, title, story, date_created, genre, youtubeid) values (?, ?, ?, ?, ?, ?, ?)")) {
/* Bind our params */
$stmt->bind_param('sssssss', $section, $author, $title, $story, $date_created, $genre, $youtubeid);
/* Set our params */
$obj->section = $_POST['section'];
$obj->author = $_POST['author'];
$obj->title = $_POST['title'];
$obj->story = $_POST['story'];
$obj->date_created = $_POST['date'];
$obj->genre = $_POST['genre'];
$obj->youtubeid = $_POST['youtubeid'];
/* Execute the prepared Statement */
$stmt->execute();
/* Echo results */
echo "Inserted {$lastName},{$firstName} into database\n";
/* Execute second Query */
$stmt->execute();
echo "Inserted {$title} into database\n";
/* Close the statement */
$stmt->close();
}
else {
/* Error */
printf("Prepared Statement Error: %s\n", $mysqli->error);
}
}
插入.php
<?php
$obj = new Article();
if(isset($_POST['submit'])){
$fields = array(
'section' => array('required' => True),
'author' => array('required' => True),
'title' => array('required' => True),
'story' => array('required' => True),
'date_created' => array('required' => True),
'genre'=> array('required' => True),
'youtubeid' => array('required' => True),
);
// We will check ALL fields, and store here any missing ones
$missing = array();
foreach($fields as $field => $definition)
{
if (!empty($_POST[$field]))
{
$obj->section = $_POST['section'];
$obj->author = $_POST['author'];
$obj->title = $_POST['title'];
$obj->story = $_POST['story'];
$obj->date_created = $_POST['date'];
$obj->genre = $_POST['genre'];
$obj->youtubeid = $_POST['youtubeid'];
// We store the content in the object
$obj->$field = $_POST[$field];
}
else
{
// Field is required? If so, its lack is an error
if (True === $definition['required'])
$missing[] = $field;
}
}
if (!empty($missing))
{
echo "Sorry, field(s) missing: " . implode(',', $missing);
} else {
$obj->insert($field);
}
}
?>
<div id="mainContent">
<br/>
<div id="insertform"> <!-- Insert Form Div -->
<div id="formWrap">
<h2>Add a New Article</h2>
<div id="form">
<form action="insert.php" method="post" name="insert" id="comments_form">
<div class="row">
<div class="label">Picture</div>
<div class="input">
<input type="file" name="fileField" id="fileField" class="detail" />
</div> <!-- end input -->
<div class="context"></div> <!-- end context -->
</div> <!-- end .row -->
<div class="row">
<div class="label">Section</div>
<div class="input">
<select name="section" id="section" class="detail">
<?php
$sections = array("Game", "Movie", "Music", "Tv", "Sport");
foreach ($sections as $section) {
echo "<option value='$section'>$section</option>";
}
?> </select>
</div> <!-- end input -->
<div class="context"> What are you writing about today? e.g. Movie </div> <!-- end context -->
</div> <!-- end .row -->
<div class="row">
<div class="label">Author</div>
<div class="input">
<input type="input" name="author" id="author" class="detail"/>
</div> <!-- end input -->
<div class="context"> e.g. John Smith </div> <!-- end context -->
</div> <!-- end .row -->
<div class="row">
<div class="label">Title</div>
<div class="input">
<input type="input" name="title" id="title" class="detail"/>
</div> <!-- end input -->
<div class="context"> e.g. X-Men Wolverine trailer </div> <!-- end context -->
</div> <!-- end .row -->
<div class="row">
<div class="label">Article</div>
<div class="input">
<textarea name="story" id="story" class="detail"></textarea>
</div> <!-- end input -->
<div class="context"> </div> <!-- end context -->
</div> <!-- end .row -->
<div class="row">
<div class="label">Date</div>
<div class="input">
<? $today = date("l j M Y"); // Monday 13 April 2013 ?>
<input type="input" name="date_created" id="date_created" class="detail" value="<? echo $today;?>" />
</div> <!-- end input -->
<div class="context"> e.g. Monday 1st January 2013 </div> <!-- end context -->
</div> <!-- end .row -->
<div class="row">
<div class="label">Genre</div>
<div class="input">
<input type="input" name="genre" class="detail" id="genre" />
</div> <!-- end input -->
<div class="context"> e.g. Movie = Action, Music = Hip Hop Etc. </div> <!-- end context -->
</div> <!-- end .row -->
<div class="row">
<div class="label">Youtube Id</div>
<div class="input">
<input type="input" name="youtubeid" class="detail" id="youtubeid" />
</div> <!-- end input -->
<div class="context"> e.g. "oRT_JtSaRHg" please copy the value after "=?" from the youtube URL.</div> <!-- end context -->
</div> <!-- end .row -->
<input type="submit" id="submit" name="submit" value="Submit Message" />
<div class="submit"> </div> <!-- end submit -->
</form>
</div> <!-- end form -->
</div> <!-- end form wrapper -->
</div>