Invalid parameter number: no parameters were bound

前端 未结 1 760
南笙
南笙 2021-01-22 21:46

I have a static chat application using php and mysql, here\'s the code to display the messages in the chat box

$sql=\"SELECT id,msg,time,msg.from,msg.to from ms         


        
相关标签:
1条回答
  • 2021-01-22 22:45

    You're not using bind_param, as per the prepared statement paradigm.

    In your select:

    $sql = "SELECT id,msg,time,msg.from,msg.to 
            FROM msg 
            WHERE msg.from IN (?, ?) 
                AND msg.to IN (?, ?)
            ORDER BY time";
    
    $ex = $conn->prepare($sql);
    $ex->bind_param("s", $_SESSION["username"]);
    $ex->bind_param("s", $_SESSION["tousermessage"]);
    $ex->bind_param("s", $_SESSION["username"]);
    $ex->bind_param("s", $_SESSION["tousermessage"]);
    $ex->execute();
    

    And in your update:

    $sql = "UPDATE msg 
            SET readmsg=1 
            WHERE id = ? 
                AND msg = ?";
    
    $ex1 = $conn->prepare($sql);
    $ex1->bind_param("i", $result['id']);
    $ex1->bind_param("s", $result["msg"]);
    $ex1->execute();
    

    The above allows your prepared statement to accept parameters in the parameterized string format (using "?" to represent a param), and to accept params with type information, via the bind_param() method.

    This allows the DB engine to properly cast and escape params prior to executing your query.

    There's no point using prepared statements if you're not binding params, which is probably why you're getting that warning.

    On a side note, concatenation of queries (as you're doing above) is a very bad habit - it opens you up to SQL Injection


    See the docs for more info on prepared statements:

    http://php.net/manual/en/mysqli-stmt.prepare.php

    0 讨论(0)
提交回复
热议问题