我正在尝试将 mysqli 代码嵌入到我的网页中,以便消除 sql 注入。这是我的代码现在的样子:
$gYear = $_POST["year"];
$gYear2 = $_POST["year2"];
$gMonth = $_POST["month"];
$gSelect = $_POST["location"];
$query = $conn->prepare("SELECT $gSelect, Year FROM unemployed WHERE year BETWEEN '$gYear' AND '$gYear2' and month='$gMonth'");
$query->bind_param('ssss', $gyear, $gYear2, $gMonth, $gSelect);
$query->execute();
$result = $query->get_result();
while ($row = $result->fetch_object()){
// do something with gathered rows
}
现在,一旦提交表单,我就会收到两个错误。他们是这样说的:
Warning: mysqli_stmt::bind_param() [mysqli-stmt.bind-param]: Number of variables doesn't match number of parameters in prepared statement in
和
Fatal error: Call to undefined method mysqli_stmt::get_result() in
我真的不知道我的问题是什么。我尝试遵循如何防止 PHP 中的 SQL 注入中列出的规则?. 有谁知道我的问题是什么?为什么我会收到这两条错误消息?任何帮助将不胜感激。