1

我正在尝试通过这些语句添加新的数据库用户:

$insert = $db->prepare("CREATE USER ? IDENTIFIED BY ?");
$insert->bind_param('ss', $_POST['username'], $_POST['pass']);
$insert->execute();

数据库给了我错误: You have an error in your SQL syntax; (...) near '? IDENTIFIED BY ?' at line 1

当我尝试添加没有?通配符的新用户时,一切都很好:

CREATE USER john IDENTIFIED BY 'johnpassword' //this works,

但即使CONCAT("'", ?, "'")用于提交数据也无济于事。

我在 MySQL 文档中读到 MySQL 5.7 应该支持CREATE USERSQL 语句的预准备语句,但 MySQLi 似乎不支持。

4

1 回答 1

0

我通过在数据库的变量中设置值省略了这个问题:

    $insert = $db->prepare("SET @username = ? "); //store username in variable in database
    $insert->bind_param('s', $_POST['username']);
    $insert->execute();
    $insert = $db->prepare("SET @password = ? "); //store password in variable in database
    $insert->bind_param('s', $_POST['pass']);
    $insert->execute();

    $insert = $db->query("SET @query1 = CONCAT('CREATE USER ', @username,' IDENTIFIED BY \'', @password, '\'')");
    if ($insert == false) {
        print ($db->error);
    }
    $insert = $db->multi_query("PREPARE stmt FROM @query1"); //create user by using initialized variables. Note that you dont need to use prepared statements now
        if ($insert == false) {
        print ($db->error);
    }
    $insert = $db->query("EXECUTE stmt;");
    if ($insert == false) {
        print ($db->error);
    }
    $insert = $db->query("DEALLOCATE PREPARE stmt;");
    if ($insert == false) {
        print ($db->error);
    }
    $insert = $db->query("SET @password = null"); //clear plaintext password for safety reasons
于 2014-07-16T12:37:13.247 回答