-1

我有以下工作MySQL 插入:

$tableSelect = $_POST["tableSelect"];
$companyName = $_POST["companyName"];
$telephone = $_POST["telephone"];
$fax = $_POST["fax"];
$email = $_POST["email"];
$address = $_POST["address"];
$postcode = $_POST["postcode"];
$category = $_POST["category"];
$contact = $_POST["contact"];
$contactTel = $_POST["contactTel"];
$contactEmail = $_POST["contactEmail"];
$sql = "INSERT INTO $tableSelect (companyName,telephone,fax,email,address,postcode,category,contact,contactTel,
    contactEmail) VALUES ('$companyName','$telephone','$fax','$email','$address','$postcode','$category',
    '$contact','$contactTel','$contactEmail');";
if (!mysqli_query($con,$sql)) {
    die('Error: ' . mysqli_error($con));
}

但是,我尝试将其更改为准备好的声明以保护自己免受注射,如下所示:

$stmt = $con->prepare("INSERT INTO suppliers (companyName,telephone,fax,email,address,postcode,
    category,contact,contactTel,contactEmail) VALUES(:companyName, :telephone, :fax, :email, :address,
    :postcode, :category, :contact, :contactTel, :contactEmail);");
if ($stmt !== FALSE) {
    $stmt->bindParam(':companyName',$companyName);
    $stmt->bindParam(':telephone',$telephone);
    $stmt->bindParam(':fax',$fax);
    $stmt->bindParam(':email',$email);
    $stmt->bindParam(':address',$address);
    $stmt->bindParam(':postcode',$postcode);
    $stmt->bindParam(':category',$category);
    $stmt->bindParam(':contact',$contact);
    $stmt->bindParam(':contactTel',$contactTel);
    $stmt->bindParam(':contactEmail',$contactEmail);
    $companyName = $_POST["companyName"];
    $telephone = $_POST["telephone"];
    $fax = $_POST["fax"];
    $email = $_POST["email"];
    $address = $_POST["address"];
    $postcode = $_POST["postcode"];
    $category = $_POST["category"];
    $contact = $_POST["contact"];
    $contactTel = $_POST["contactTel"];
    $contactEmail = $_POST["contactEmail"];
    $stmt->execute();
}
else {
    echo "Could not connect";
}

每次我运行它,$stmt返回false。这是我第一次使用准备好的语句,而且我对 MySQL 还很陌生,所以非常感谢一些指针。

4

2 回答 2

1

mysqli 的语法错误。您已尝试使用 PDO。对于 mysqli

$stmt = $con->prepare("INSERT INTO suppliers (companyName,telephone,fax,email,address,postcode,category,contact,contactTel,contactEmail) VALUES(?,?,?,?,?,?,?,?,?,?)");



if($stmt){

        $stmt->bind_param('ssssssssss',$companyName,$telephone,$fax,$email,$address,$postcode,$category,$contact,$contactTel,$contactEmail);
        //s for string, i for integer, d for double, b for blob
        $stmt->execute();
}else{

       echo($con->error); //TO display Error
}
于 2013-09-06T13:39:22.240 回答
0

尽管您的问题肯定是题外话,但这里有一些指示

假设您在第二个示例中使用 PDO(出于某种原因,您没有在问题中指出它)

  1. 你必须告诉 PDO 抛出异常

    $con->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );

    它至少会让你想到一个错误信息。

  2. 客户端永远不应该提供表名
  3. 调整绑定变量以使其适合查询
  4. 无需冗长的代码,只需从 $_POST 数组中删除不必要的成员并将其传递给执行

像这样的东西

$con->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
$sql = "INSERT INTO suppliers 
 (companyName,telephone,fax,email,address,postcode,
  category,contact,contactTel,contactEmail) 
 VALUES 
 (:companyName, :telephone, :fax, :email, :address,
  :postcode, :category, :contact, :contactTel, :contactEmail)";
$stmt = $con->prepare($sql);
unset ($_POST['submit']);
// make sure you unset all the useless members
$stmt->execute($_POST);
于 2013-09-06T13:33:45.680 回答