0

我正在尝试学习如何从 SQL 注入中使我的 PHP 代码更安全,并且目前正在尝试准备好的语句,但我在完成这项工作时遇到了一些麻烦。我抛出以下错误:

Fatal error: Call to a member function prepare() on a non-object in /Applications/XAMPP/xamppfiles/htdocs/Zaptube/classes/class.Article.inc on line 59

但是在收到此错误后,我将 if 语句从

$stmt = $mysqli->prepare 

 $stmt = $this->mysqli->prepare 

这将语句返回为 true,但它实际上并没有更新 sql 表。我不完全确定我哪里出错了。

以下是我完整使用的代码,欢迎任何帮助。

类.Article.inc

public function insert ($field) {

     if ($stmt = $mysqli->prepare("INSERT INTO articles (section, author, title, story, date_created, genre, youtubeid) values (?, ?, ?, ?, ?, ?, ?)")) {

     /* Bind our params */
     $stmt->bind_param('sssssss', $section, $author, $title, $story, $date_created, $genre, $youtubeid);

     /* Set our params */
     $obj->section = $_POST['section'];
     $obj->author = $_POST['author'];
     $obj->title = $_POST['title'];
     $obj->story = $_POST['story'];
     $obj->date_created = $_POST['date'];
     $obj->genre = $_POST['genre'];
     $obj->youtubeid = $_POST['youtubeid'];                 

     /* Execute the prepared Statement */
   $stmt->execute();

     /* Echo results */
     echo "Inserted {$lastName},{$firstName} into database\n";

     /* Execute second Query */
     $stmt->execute();

     echo "Inserted {$title} into database\n";

     /* Close the statement */
     $stmt->close();
     }
     else {
     /* Error */
     printf("Prepared Statement Error: %s\n", $mysqli->error);
   }


 }

插入.php

<?php
$obj = new Article();
    if(isset($_POST['submit'])){

        $fields = array(
        'section'   => array('required' => True),
        'author'  => array('required' => True),
        'title'  => array('required' => True),
        'story'     => array('required' => True),
        'date_created'   => array('required' => True),
        'genre'=> array('required' => True),
        'youtubeid' => array('required' => True),
    );
    // We will check ALL fields, and store here any missing ones
        $missing = array();

        foreach($fields as $field => $definition)
        {
            if (!empty($_POST[$field]))
            {   
                 $obj->section = $_POST['section'];
                 $obj->author = $_POST['author'];
                 $obj->title = $_POST['title'];
                 $obj->story = $_POST['story'];
                 $obj->date_created = $_POST['date'];
                 $obj->genre = $_POST['genre'];
                 $obj->youtubeid = $_POST['youtubeid'];

                // We store the content in the object
                $obj->$field = $_POST[$field];

            }
            else
            {
                // Field is required? If so, its lack is an error
                if (True === $definition['required'])
                    $missing[] = $field;
                    }
                        }
                            if (!empty($missing))
                            {
                                echo "Sorry, field(s) missing: " . implode(',', $missing);
                            } else {
                                $obj->insert($field);
                            }
                 }
?>
<div id="mainContent">
<br/>
<div id="insertform"> <!-- Insert Form Div -->

<div id="formWrap">
    <h2>Add a New Article</h2>
    <div id="form">
    <form action="insert.php" method="post" name="insert" id="comments_form">
    <div class="row">
    <div class="label">Picture</div>
    <div class="input">  
    <input type="file" name="fileField" id="fileField" class="detail" />         
                </div> <!-- end input -->
                <div class="context"></div> <!-- end context -->
                </div> <!-- end .row -->   
    <div class="row">
    <div class="label">Section</div>
    <div class="input"> 
            <select name="section" id="section" class="detail">
                 <?php 
                 $sections = array("Game", "Movie", "Music", "Tv", "Sport");
                    foreach ($sections as $section) {   
                        echo "<option value='$section'>$section</option>";
                    }
                ?>                  </select> 

                </div> <!-- end input -->
                <div class="context"> What are you writing about today? e.g. Movie </div> <!-- end context -->
                </div> <!-- end .row -->
    <div class="row">
    <div class="label">Author</div>
    <div class="input">        
            <input type="input" name="author" id="author" class="detail"/>
                </div> <!-- end input -->
                <div class="context"> e.g. John Smith </div> <!-- end context -->
                </div> <!-- end .row -->   
    <div class="row">
    <div class="label">Title</div>
    <div class="input">        
            <input type="input" name="title" id="title" class="detail"/>
                </div> <!-- end input -->
                <div class="context"> e.g. X-Men Wolverine trailer </div> <!-- end context -->
                </div> <!-- end .row -->                    

    <div class="row">
    <div class="label">Article</div>
    <div class="input">            
            <textarea name="story" id="story" class="detail"></textarea>
                </div> <!-- end input -->
                <div class="context">  </div> <!-- end context -->
                </div> <!-- end .row -->      

    <div class="row">
    <div class="label">Date</div>
    <div class="input">                             
    <? $today = date("l j M Y");  // Monday 13 April 2013 ?>
     <input type="input" name="date_created" id="date_created" class="detail" value="<? echo $today;?>" />
                </div> <!-- end input -->
                <div class="context"> e.g. Monday 1st January 2013 </div> <!-- end context -->
                </div> <!-- end .row --> 

    <div class="row">
    <div class="label">Genre</div>
    <div class="input">                                      
            <input type="input" name="genre" class="detail" id="genre" />
                </div> <!-- end input -->
                <div class="context"> e.g. Movie = Action, Music = Hip Hop Etc. </div> <!-- end context -->
                </div> <!-- end .row -->        


    <div class="row">
    <div class="label">Youtube Id</div>
    <div class="input">                                      
            <input type="input" name="youtubeid" class="detail" id="youtubeid" />
                </div> <!-- end input -->
                <div class="context"> e.g. "oRT_JtSaRHg" please copy the value after "=?" from the youtube URL.</div> <!-- end context -->
                </div> <!-- end .row -->    

            <input type="submit" id="submit" name="submit" value="Submit Message" />
                    <div class="submit"> </div> <!-- end submit -->                
        </form>
</div> <!-- end form -->
</div> <!-- end form wrapper -->

 </div>
4

2 回答 2

0
/* Set our params */
$section = $_POST['section'];
$author = $_POST['author'];
$title = $_POST['title'];
$story = $_POST['story'];
$date_created = $_POST['date'];
$genre = $_POST['genre'];
$youtubeid = $_POST['youtubeid']; 

试试这个或至少将 $obj 的数据分配给您的参数变量。

于 2013-04-12T21:16:59.100 回答
0
public function insert ($field) {

     if ($stmt = $mysqli->prepare("INSERT INTO articles (section, author, title, story, date_created, genre, youtubeid) values (?, ?, ?, ?, ?, ?, ?)")) {

使用此代码将不起作用。方法中没有任何地方insert()$mysqli定义,所以你的整个数据库链是没有意义的——你正在使用一个未定义的局部变量,因此从这一点开始的所有数据库东西都是没有意义的,例如你有相当于

$stmt = null->prepare(....);

这就是为什么$this->mysqli让事情开始“工作”。您开始使用真正的数据库句柄,准备/执行开始工作。

如果没有行被更新,那不是 PHP 的问题——您以某种方式错误地编写了查询语句。但是您对查询调用绝对没有错误处理,因此您只是盲目地假设成功。这不是编写代码的好方法。始终检查故障。例如

$stmt = $this->mysqli->prepare(...) or die($this->mysqli->error);
                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
于 2013-04-12T21:20:34.500 回答