mysqli bind_param 变量数与准备语句中的参数数不匹配
mysqli bind_param Number of variables doesn't match number of parameters in prepared statement
我收到这个错误:
Warning: mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement
代码:
$stmt = $sql->prepare("SELECT name, site, message, `when` FROM messages WHERE message LIKE '%?%'");
$stmt->bind_param('s', $_GET['search']);
$stmt->execute();
$result = $stmt->get_result();
我正在尝试让用户输入准备好的语句。
此代码工作正常,但对 SQL 注入不安全:
$result = $sql->query("SELECT name, site, message, `when` FROM messages WHERE message LIKE '%" . $_GET['search'] . "%'");
在准备好的语句中使用 LIKE 时,有点不同。您应该将 % 添加到参数 之前 将其绑定到语句。
试试下面的方法:
$param = "%{$_GET['search']}%";
$stmt = $sql->prepare("SELECT name, site, message, `when` FROM messages WHERE message LIKE ?");
$stmt->bind_param('s', $param);
$stmt->execute();
$result = $stmt->get_result();
我收到这个错误:
Warning: mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement
代码:
$stmt = $sql->prepare("SELECT name, site, message, `when` FROM messages WHERE message LIKE '%?%'");
$stmt->bind_param('s', $_GET['search']);
$stmt->execute();
$result = $stmt->get_result();
我正在尝试让用户输入准备好的语句。
此代码工作正常,但对 SQL 注入不安全:
$result = $sql->query("SELECT name, site, message, `when` FROM messages WHERE message LIKE '%" . $_GET['search'] . "%'");
在准备好的语句中使用 LIKE 时,有点不同。您应该将 % 添加到参数 之前 将其绑定到语句。
试试下面的方法:
$param = "%{$_GET['search']}%";
$stmt = $sql->prepare("SELECT name, site, message, `when` FROM messages WHERE message LIKE ?");
$stmt->bind_param('s', $param);
$stmt->execute();
$result = $stmt->get_result();