今天看了PHP防SQL注入,使用预处理prepare,但是我insert数据时,总是插不进去,但是select却可以,弄了很久终于知道原来问题在这里,先上代码
<?php header('content-type:text/html;charset=utf8');
//接收表单数据
//$username = $_POST['username'];
$conn = new mysqli('localhost','root','akagami-666','water');
if($conn -> connect_errno){ echo "连接失败".$conn -> connect_error; }
$sql = "insert into w_safe(name) values(?)";
// $sql = "select * from w_safe where name=?";
$stmt = $conn -> prepare($sql); $stmt -> bind_param("s",$username);
$username = $_POST['username'];
$stmt -> execute();
echo $stmt -> affected_rows;
$stmt -> close();
$conn -> close();
出问题的原因就是,我一开始是先接收post值,定义$username变量,后执行bind_param(),而这就导致无法插入数据,
必须要先写bind_param(),在定义里面的变量才行。
希望能帮助遇到同样问题的小伙伴!!!