准备好的陈述 + PDO

Prepared Statements + PDO

首先,请注意我不是将其用作真实世界的登录,它纯粹是为了练习。我正在使用 PHP/MySQLi 并尝试执行准备好的语句,但我没有正确执行。这是我的工作代码,只有 mysqli_escape_string:

$host="localhost";
$username="login";
$password="password";
$db_name="database";


$link=mysqli_connect("$host", "$username", "$password", "$db_name")or die("cannot connect to server"); 

$tbl_name=temp_members;

// Random confirmation code to be sent in email
$confirm_code=md5(uniqid(rand())); 

//from signup.php
$name=$_POST['name'];
$email=$_POST['email'];
$pwd=$_POST['password'];

$name = mysqli_real_escape_string($link, $name);
$email = mysqli_real_escape_string($link, $email);
$pwd = mysqli_real_escape_string($link, $pwd);

$pwd = password_hash($pwd, PASSWORD_DEFAULT);

// Insert data into temp_members
$sql="INSERT INTO $tbl_name(confirm_code, name, email, password)VALUES('$confirm_code', '$name', '$email', '$pwd')";
$result=mysqli_query($link, $sql);


if($result){

    //email
    $to=$email;
    $subject="(no reply)";
    $header="from: Ben Pappas <mrbenpappas@gmail.com>";

    // message 
    $message="Hello ".$name.", Thanks for signing up! \r\n";
    $message.="Click on this link to activate your account: \r\n";
    $message.="http://www.monger.us/verify/confirmation.php?       passkey=$confirm_code";

    // send email
    $sentmail = mail($to,$subject,$message,$header);
}

这是我对 PDO/准备好的语句的(糟糕的)尝试:

$host="localhost";
$username="login";
$password="password";
$db_name="database";


$link = new PDO("mysql:host=$host;dbname=$db_name",$username,$password) or die("cannot connect to server");

$tbl_name=temp_members;

// Random confirmation code to be sent in email
$confirm_code=md5(uniqid(rand())); 

//from signup.php
$name=$_POST['name'];
$email=$_POST['email'];
$pwd=$_POST['password'];

$name = mysqli_real_escape_string($link, $name);
$email = mysqli_real_escape_string($link, $email);
$pwd = mysqli_real_escape_string($link, $pwd);

$pwd = password_hash($pwd, PASSWORD_DEFAULT);

// Insert data into temp_members

$statement = $link->prepare("INSERT INTO $tbl_name(confirm_code, name, email, password)VALUES('$confirm_code', '$name', '$email', '$pwd')";
$statement->execute(array(
    $confirm_code => 'confirm_code',
    $email => 'email',
    $name => 'name'
));
$result = ($link, $statement);


if($result){

//email
$to=$email;
$subject="(no reply)";
$header="from: Ben Pappas <mrbenpappas@gmail.com>";

// message
$message="Hello ".$name.", Thanks for signing up! \r\n";
$message.="Click on this link to activate your account: \r\n";
$message.="http://www.monger.us/verify/confirmation.php?    passkey=$confirm_code";

// send email
$sentmail = mail($to,$subject,$message,$header);
}

我在正在调用语句变量的行上收到一条错误消息,消息说意外的“;”

请原谅任何明显的错误我是学徒

            $value = $_POST['value'];
            $stmt = $mysqli->prepare("INSERT INTO XYZ (field) VALUES (?)");
            $stmt->bind_param('s', $value);  
            $stmt->execute(); 

语句应如下所示。

"s" 代表字符串,"i" 代表 int

您是 missing $语句行上​​的 close 方括号:

try this

$statement = $link->prepare("INSERT INTO $tbl_name(confirm_code, name, email, password)VALUES(:confirm_code, :name, :email, :pwd)");
$statement->execute(array(
    ':confirm_code' => $confirm_code,
    ':email' => $email,
    ':name'  => $name,
    ':pwd' => $pwd
));
$statement = $link->prepare("INSERT INTO $tbl_name(confirm_code, name, 
   email, password)VALUES('$confirm_code', '$name', '$email', '$pwd')";

应改为:

$statement = $link->prepare("INSERT INTO $tbl_name(confirm_code, name,
   email, password)VALUES(:confirm_code, :name, :email, :pwd)");
$statement->execute(array(
':confirm_code' => $confirm_code,
':email' => $email,
':name' => $name,
':pwd' => $pwd
));

也不需要 mysqli_real_escape_string 代码:绑定负责为您转义数据。