Error mysqli_stmt :: bind_param ():

Question

Error mysqli_stmt :: bind_param ():

Navigation

#1 by (0 votes)

0

Install the XAMPP program and get this error message and so far I can not fix it

Warning: mysqli_stmt :: bind_param (): Number of variables does not match number of parameters in prepared statement in D: \ xampp \ htdocs \ server \ encyclopedia \ index.php on line 29

and the code I'm using is this:

$galNumb = 'SELECT COUNT(*) AS total FROM enciclopedia WHERE status = "1"';
    $stmt = $mysqli->prepare($galNumb);
    $stmt->bind_param('i', $pjInfo['total']);
    if ( ! $stmt->execute()) {
        trigger_error('The query execution failed; MySQL said ('.$stmt->errno.') '.$stmt->error, E_USER_ERROR);
    }
    $col1 = null;
    $stmt->bind_result($col1); // you can bind multiple colums in one function call

    while ($stmt->fetch()) { // for this query, there will only be one row, but it makes for a more complete example
        $echo .= '<div class="enciclopediarow"><a class="title" href="/enciclopedia/review">Review</a><br>'.PHP_EOL;
        $echo .= '<b>'.$col1.'</b> articulos aprovados</div>'.PHP_EOL;
    }
    $stmt->close(); // explicitly closing your statements is good practice

Especially in this line $stmt = $mysqli->prepare($galNumb);

Greetings

php mysqli

asked by Victor Hugo 07.05.2017 в 20:13

source

1 answer

InnerHTML on Ionic Connection to Mysql via SSL

score 0 · Answer 1

bind_param () is a part fundamental of what is known as prepared queries . It works together with prepare and serves to prevent a query in which foreign data intervene is sent to execution directly. The data that comes from outside could be modified by malicious users to go to execution along with a normal query one or more harmful queries. This is what is known as SQL Injection .

Precisely for what is used bind_param is to collect and pass that data for the database to execute, verifying first that there is no malicious code in them.

The error: Number of variables does not match number of parameters in prepared statement is indicating that in the SQL statement there must be a parameter that must be passed by bind_param() , these parameters are represented in the SQL string by the question mark ? .

When you do $stmt->bind_param('i', $pjInfo['total']); , PHP looks for the% sign ? in the string $galNumb , but can not find it.

To use bind_param() in your query, it should be something like this:

$galNumb = 'SELECT COUNT(*) AS total FROM enciclopedia WHERE status = ?;';
    $stmt = $mysqli->prepare($galNumb);
    $stmt->bind_param('i', $pjInfo['total']);

I have assumed that what you want to obtain is the data in which status is equal to the data received in $pjInfo['total'] .

You will see that in the SQL string status = ? has been set, it means that this value will be passed apart using precisely bind_param() .

This way, it prevents any user from entering malicious queries, which is very easy if you send a query as it is, with the SQL statement and the values.

The topic of SQL Injection is a broad topic, but one that needs to be known, since it seriously concerns the security of the data.

I leave you some links:

In Stackoverflow: How to avoid SQL injection in PHP?
SQL Injection in the PHP Manual