最受欢迎

尝试“清理”时出现错误.向MySQL数据库中插入数据;致命错误:在非对象上调用成员函数execute()

Error when attempting to "cleanly" insert data into a MySQL database; Fatal error: Call to a member function execute() on a non-object in

本文关键字:对象 致命错误 调用 execute 函数 成员 数据 清理 错误 插入 数据库 | 更新日期: 2023-09-27

我是相对较新的PHP,我试图使注册+登录系统。当我试图安全地将用户"用户名"answers"密码"插入数据库时,我遇到了一个问题。

我得到这个错误:

http://puu.sh/2SUOg.png

我遵循这个指南…

如何在PHP中防止SQL注入?

. .除非我是盲人,我花了30分钟搜索/谷歌失败了,否则我的语法似乎是正确的?

任何想法?

错误指向第107行

<?php include('assets/repository/mysql.php') ?>
<?php
  /* 
  * -------------------------------------------------------------------------------------
  * -------------------- VARIABLE DECLARATION & SQL CONNECTION STUFF --------------------
  * -------------------------------------------------------------------------------------
  */
  // variable declaration from previous page (register/login page)
  $EMAIL                 = strtoupper($_POST["email"]);
  $PASSWORD              = $_POST["password"];
  $PASSWORD_CONFIRMATION = $_POST["passwordConfirmation"];
?>
<?php
  /*
  * -------------------------------------------------------------------------------------
  * ---------------------------- REGISTRATION FORM VALDIATION ---------------------------
  * -------------------------------------------------------------------------------------
  * loginerr=0 -> passwords don't match
  * loginerr=1 -> username already exists in DB
  * loginerr=2 -> registration is currently disabled
  * loginerr=3 -> password is too long and/or too short
  * loginerr=4 -> email isn't in proper format
  * loginerr=5 -> email is too long and/or too short
  */
  // ----- Do passwords match? loginerr=0 -----
  // Working 2013/05/13
  if($PASSWORD != $PASSWORD_CONFIRMATION){
    header('Location: http://127.0.0.1/login.php?loginerr=0') ;
    exit();
  }
  // ----- Does username already exist in the DB? loginerr=1 -----
  // Working 2013/05/13
  $findUserQuery = "SELECT * FROM `users` WHERE Email='".$EMAIL."'";
  $result = $dbConnection->query($findUserQuery) or die($dbConnection->error.__LINE__);
  if($result->num_rows > 0){
    header('Location: http://127.0.0.1/login.php?loginerr=1');
    exit();
  }
  // ----- Is registration currently allowed in the system? loginerr=2 -----
  // Working 2013/05/13
  $isRegistrationEnabledQuery = "SELECT * FROM `global_settings` WHERE Registration_enabled='0'";
  $result = $dbConnection->query($isRegistrationEnabledQuery) or die($dbConnection->error.__LINE__);
  if($result->num_rows > 0){
    header('Location: http://127.0.0.1/login.php?loginerr=2');
    exit();
  }
  // ----- Is password greater than 4 characters, less than 32 characters? loginerr=3 -----
  // Working 2013/05/13
  if(strlen($PASSWORD) > 32 || strlen($PASSWORD) < 4){
    header('Location: http://127.0.0.1/login.php?loginerr=3');
    exit();
  }
  // ----- Is email in proper format? (regex) loginerr=4 -----
  // Working 2013/05/13
  if(!filter_var($EMAIL, FILTER_VALIDATE_EMAIL)){
    header('Location: http://127.0.0.1/login.php?loginerr=4');
    exit();
  }
  // ----- Is email greater than 4 characters, less than 32 characters? loginerr=5 -----
  // Working 2013/05/13
  if(strlen($EMAIL) > 32 || strlen($EMAIL) < 4){
    header('Location: http://127.0.0.1/login.php?loginerr=5');
    exit();
  }
?>
<?php
  /*
  * -------------------------------------------------------------------------------------
  * ------------------------- PASSED ALL CHECKS - INSERT INTO DB ------------------------
  * -------------------------------------------------------------------------------------
  */
  //TODO: Hash password + salt + pepper?
  // Preparing our query statement via mysqli which will auto-escape all bad characters to prevent injection
  $query = $dbConnection->prepare(
    'INSERT INTO users (
      EMAIL,PASSWORD
    ) VALUES (
      :email,:password
    )'
  );
  // Replacing the ":XXXXX" in the above statement with the actual values we want to insert
  $query->execute(array(':email' => $EMAIL, ':password' => $PASSWORD)) or die($dbConnection->error.__LINE__);
  // Perform the actual query; and if it returns false (AKA if there is an error), print the error
  /*if (!mysqli_query($dbConnection,$query)){
    die('Error: ' . mysqli_error($dbConnection));
  }*/
  // Never forget to close the connection, otherwise memory leaks will happen!
  mysqli_close($dbConnection);
?>
<?php include('header.php') ?>
<?php include('footer.php') ?>

您似乎在使用PDO语法而不是mysqli。

将Ln. 96至Ln. 107替换为

// Preparing our query statement via mysqli which will auto-escape all bad characters to prevent injection
$query = 'INSERT INTO users (
            EMAIL, 
            PASSWORD
          ) VALUES (
            ?,
            ?
          )';
$stmt = $mysqli->prepare($query);    
$stmt->bind_param("ss", $EMAIL, $PASSWORD);    
$stmt->execute();
相关文章:
最新更新
www.56WenDa.com 2012-2023 | php问答网 | php学习