我试图在 msyql 查询中使用准备好的语句来防止 SQL 注入。
我已经更换了这条线:
$this->Query_ID = @mysql_query($Query_String_Clean,$this->Link_ID);
有了这个:
$preparedQuery = $this->Link_ID->prepare($Query_String_Clean);
$this->Query_ID = $preparedQuery->execute();
但它不起作用,给出错误:
Call to a member function execute() on a non-object
难道我做错了什么?
这是您使用 MySQLi 阅读的方式:
看看这个:
<?php
// Init the database connection
$db = new mysqli("example.com", "user", "password", "database");
// Look for errors or throw an exception
if ($db->connect_errno) {
throw new Exception($db->connect_error, $db->connect_errno);
}
// Init prepared statement
$prep = $db->stmt_init();
// Prepared statement
$prep = $db->prepare("SELECT username, points FROM account_information WHERE username = ? AND username IS NOT NULL AND username != ''");
// See if statement is ok
if (!$prep) {
throw new Exception($db->error);
}
// Put your variables into the query
$prep->bind_param('s', $_SESSION['username']);
// Fire the query!
$prep->execute();
// This is magic, it's awesome.. try it :-))
$prep->bind_result($username, $points);
// Get the results easily
while ($prep->fetch()) {
echo "{$username} has {$points}<br>", PHP_EOL;
}
// This is like in our house, when we leave it, we close the door
$prep->close();
$db->close();