PDO::exec() 期望参数 1 为字符串,使用准备语句时给出的对象
PDO::exec() expects parameter 1 to be string, object given when using prepared statements
我正在尝试通过使用准备好的语句来防止 SQL-注入。
以下代码显示了创建新用户时调用的函数。被注释掉的代码确实有效但不安全。因此,我尝试更改它,但出现以下错误:
PDO::exec() expects parameter 1 to be string, object given
代码如下:
function save()
{
if ($this->id === null) {
$query = self::$app->db->prepare(self::INSERT_QUERY);
$query->bindParam(1, $this->username);
$query->bindParam(2, $this->password);
$query->bindParam(3, $this->email);
$query->bindParam(4, $this->bio);
$query->bindParam(5, $this->isAdmin);
//$query = sprintf(self::INSERT_QUERY,
// $this->username,
// $this->password,
// $this->email,
// $this->bio,
// $this->isAdmin );
} else {
$query = sprintf(self::UPDATE_QUERY,
$this->username,
$this->password,
$this->email,
$this->bio,
$this->isAdmin,
$this->id
);
}
return self::$app->db->exec($query);
}
我对 PHP 和安全性都很陌生,所以任何提示都将不胜感激!
执行预处理语句的PDO::prepare method returns a PDOStatement object (not a string value). You need to use the PDOStatement::execute方法:
$query = self::$app->db->prepare(self::INSERT_QUERY);
$query->bindParam(1, $this->username);
$query->bindParam(2, $this->password);
$query->bindParam(3, $this->email);
$query->bindParam(4, $this->bio);
$query->bindParam(5, $this->isAdmin);
$query->execute(); //execute the prepared statement.
使用 PDO::exec 只能执行 SQL 语句(没有绑定参数)。
您正在混合准备语句和 SQL 语句。您应该使用以下内容:
function save()
{
if ($this->id === null) {
$query = self::$app->db->prepare(self::INSERT_QUERY);
$query->bindParam(1, $this->username);
$query->bindParam(2, $this->password);
$query->bindParam(3, $this->email);
$query->bindParam(4, $this->bio);
$query->bindParam(5, $this->isAdmin);
return $query->execute();
} else {
$query = self::$app->db->prepare(self::UPDATE_QUERY);
$query->bindParam(1, $this->username);
$query->bindParam(2, $this->password);
$query->bindParam(3, $this->email);
$query->bindParam(4, $this->bio);
$query->bindParam(5, $this->isAdmin);
$query->bindParam(6, $this->id);
return $query->execute();
}
}
我正在尝试通过使用准备好的语句来防止 SQL-注入。
以下代码显示了创建新用户时调用的函数。被注释掉的代码确实有效但不安全。因此,我尝试更改它,但出现以下错误:
PDO::exec() expects parameter 1 to be string, object given
代码如下:
function save()
{
if ($this->id === null) {
$query = self::$app->db->prepare(self::INSERT_QUERY);
$query->bindParam(1, $this->username);
$query->bindParam(2, $this->password);
$query->bindParam(3, $this->email);
$query->bindParam(4, $this->bio);
$query->bindParam(5, $this->isAdmin);
//$query = sprintf(self::INSERT_QUERY,
// $this->username,
// $this->password,
// $this->email,
// $this->bio,
// $this->isAdmin );
} else {
$query = sprintf(self::UPDATE_QUERY,
$this->username,
$this->password,
$this->email,
$this->bio,
$this->isAdmin,
$this->id
);
}
return self::$app->db->exec($query);
}
我对 PHP 和安全性都很陌生,所以任何提示都将不胜感激!
执行预处理语句的PDO::prepare method returns a PDOStatement object (not a string value). You need to use the PDOStatement::execute方法:
$query = self::$app->db->prepare(self::INSERT_QUERY);
$query->bindParam(1, $this->username);
$query->bindParam(2, $this->password);
$query->bindParam(3, $this->email);
$query->bindParam(4, $this->bio);
$query->bindParam(5, $this->isAdmin);
$query->execute(); //execute the prepared statement.
使用 PDO::exec 只能执行 SQL 语句(没有绑定参数)。
您正在混合准备语句和 SQL 语句。您应该使用以下内容:
function save()
{
if ($this->id === null) {
$query = self::$app->db->prepare(self::INSERT_QUERY);
$query->bindParam(1, $this->username);
$query->bindParam(2, $this->password);
$query->bindParam(3, $this->email);
$query->bindParam(4, $this->bio);
$query->bindParam(5, $this->isAdmin);
return $query->execute();
} else {
$query = self::$app->db->prepare(self::UPDATE_QUERY);
$query->bindParam(1, $this->username);
$query->bindParam(2, $this->password);
$query->bindParam(3, $this->email);
$query->bindParam(4, $this->bio);
$query->bindParam(5, $this->isAdmin);
$query->bindParam(6, $this->id);
return $query->execute();
}
}