这成功地从表中检索数据,但这不使用 mySQL 准备好的语句。$sql = "SELECT email, created_at, firstname, lastname FROM users WHERE id ='" . $_SESSION['id'] . "'";$result = mysqli_query($link, $sql);if (mysqli_num_rows($result) > 0) { // output data of each row while($row = mysqli_fetch_assoc($result)) { $email_address = $row["email"]; $creatiom_time = $row["created_at"]; $fname = $row["firstname"]; $lname = $row["lastname"]; }}如何将其转换为准备好的语句以防止 SQL 注入?我尝试转换它并没有检索到数据。$stmt = mysqli_prepare($link, "SELECT email, created_at, firstname, lastname FROM users WHERE id=?");$stmt->bind_param("i", $_SESSION['id']);$stmt->execute();$stmt->bind_result($email_address, $creatiom_time, $fname, $lname);$stmt->close();我究竟做错了什么?电子邮件是唯一的,所以这应该只返回一行;但是,当我使用上述准备好的语句时,没有返回任何内容。谢谢你。
1 回答
拉风的咖菲猫
TA贡献1995条经验 获得超2个赞
您需要使用以下命令将行数据实际存储到绑定结果变量中fetch:
$stmt = mysqli_prepare($link, "SELECT email, created_at, firstname, lastname FROM users WHERE id=?");
$stmt->bind_param("i", $_SESSION['id']);
$stmt->execute();
$stmt->bind_result($email_address, $creatiom_time, $fname, $lname);
$stmt->fetch();
$stmt->close();
echo $email_address; // etc.
请注意,您确实应该检查这些调用的返回状态,尤其是prepare,execute和fetch。
- 1 回答
- 0 关注
- 137 浏览
添加回答
举报
0/150
提交
取消