'Warning: mysqli_stmt::bind_param(): Number of elements in type definition string doesn't match number of bind variables 11 [closed]
My code against SQL injection isn't working (error message in title).
I simplified my code, but its still not working.
<?php
include "conf.php";
$db = new mysqli($MYSQL_HOST, $MYSQL_USER, $MYSQL_PASS, $MYSQL_DB);
$ltime =10;
$url= 1;
$title =2;
$result = $db->prepare("INSERT INTO links VALUES ('', ?, ?, ?)");
$result->bind_param('ss', $url, $title, $ltime);
$result->execute();
I created DB and all variables are integer, first value is ID and it is created with an auto Increment flag.
Solution 1:[1]
You have to put three "s" in the bind_param method, because there are three variables to bind
$result = $db->prepare("INSERT INTO links VALUES (NULL, ?, ?, ?)");
$result->bind_param('sss', $url, $title, $ltime);
I's also better to pass a null NULL value for the autoincremented field instead of an empty string
Solution 2:[2]
You have:
$result->bind_param('ss', $url, $title, $ltime);
but it should be
$result->bind_param('sss', $url, $title, $ltime);
The first function parameter ofbool mysqli_stmt::bind_param ( string $types , mixed &$var1 [, mixed &$... ] )
determines the type of each single bound variable/sql-parameter. You have three sql-parameters, so your first function parameter must specify three types (three times s in this case), not just two.
And on a side-node: I'd rather assign the return value of mysqli::prepare to a variable with the name $statement than $result.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Your Common Sense |
| Solution 2 | VolkerK |