PDO::exec() 期望参数 1 为字符串,使用准备语句时给出的对象

PDO::exec() expects parameter 1 to be string, object given when using prepared statements

我正在尝试通过使用准备好的语句来防止 SQL-注入。

以下代码显示了创建新用户时调用的函数。被注释掉的代码确实有效但不安全。因此,我尝试更改它,但出现以下错误:

PDO::exec() expects parameter 1 to be string, object given

代码如下:

function save()
{
    if ($this->id === null) {
        $query = self::$app->db->prepare(self::INSERT_QUERY);
        $query->bindParam(1, $this->username);
        $query->bindParam(2, $this->password);
        $query->bindParam(3, $this->email);
        $query->bindParam(4, $this->bio);
        $query->bindParam(5, $this->isAdmin);

        //$query = sprintf(self::INSERT_QUERY,
         //   $this->username,
         //   $this->password,
         //   $this->email,
         //   $this->bio,
         //   $this->isAdmin            );
    } else {
      $query = sprintf(self::UPDATE_QUERY,
            $this->username,
            $this->password,
            $this->email,
            $this->bio,
            $this->isAdmin,
            $this->id
        );
    }

    return self::$app->db->exec($query);
}

我对 PHP 和安全性都很陌生,所以任何提示都将不胜感激!

执行预处理语句的PDO::prepare method returns a PDOStatement object (not a string value). You need to use the PDOStatement::execute方法:

$query = self::$app->db->prepare(self::INSERT_QUERY);
$query->bindParam(1, $this->username);
$query->bindParam(2, $this->password);
$query->bindParam(3, $this->email);
$query->bindParam(4, $this->bio);
$query->bindParam(5, $this->isAdmin);
$query->execute(); //execute the prepared statement.

使用 PDO::exec 只能执行 SQL 语句(没有绑定参数)。


您正在混合准备语句和 SQL 语句。您应该使用以下内容:

function save()
{
    if ($this->id === null) {
        $query = self::$app->db->prepare(self::INSERT_QUERY);
        $query->bindParam(1, $this->username);
        $query->bindParam(2, $this->password);
        $query->bindParam(3, $this->email);
        $query->bindParam(4, $this->bio);
        $query->bindParam(5, $this->isAdmin);
        return $query->execute();
    } else {
        $query = self::$app->db->prepare(self::UPDATE_QUERY);
        $query->bindParam(1, $this->username);
        $query->bindParam(2, $this->password);
        $query->bindParam(3, $this->email);
        $query->bindParam(4, $this->bio);
        $query->bindParam(5, $this->isAdmin);
        $query->bindParam(6, $this->id);
        return $query->execute();
    }
}