Jump to content

Warning: mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement

danchi

By danchi
in PHP Coding Help

Recommended Posts

danchi Newbie

danchi

Posted
Posted

Hello,

I have problem durring binding update query. I can't find what is causing problem.

public function Update(Entry $e)
    {
        try
        {
            $query = "update entry set string = $e->string,delimiter=$e->delimiter where entryid= $e->id";
            $stmt = $this->db->mysqli->prepare($query);
            $stmt->bind_param('ssi',$e->string,$e->delimiter,$e->id);

            $stmt->close();
           

        }
        catch(Exception $ex)
        {
            print 'Error: ' .$ex->getMessage();
        }
    }

When I run function update I'm getting next error:Warning: mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement

 

Can you help me to solve this problem ?

Jacques1 Prolific Member

Jacques1

Posted
Posted

The problem is that you don't understand how prepared statements work.

 

The whole point of a prepared statement is to not insert the values directly into the query string. This causes the usual SQL injection vulnerabilities and bugs. Instead, we use parameters to keep the values separate from the actual query. So you first send a query template with certain placeholders to the database system:

$stmt = $this->db->mysqli->prepare('		
    UPDATE
        entry
    SET
        string = ?,
        delimiters = ?
    WHERE
        entryid = ?
'); 

After this template has been processed by the database system, you can bind concrete values to the parameters and execute the prepared statement:

$stmt->bind_param('ssi', $e->string, $e->delimiter, $e->id);
$stmt->execute();

Again: The whole point is to keep the values separate from the query itself so that they cannot interfere with each other. If you just stuff everything into one big string, then the database system doesn't know which parts belong to your query and which parts are the user-provided values. It will simply execute the entire string.

 

The try statement is also nonsense and downright dangerous. Printing the error message on the screen will expose internal data to the whole world. At the same time you lose important information like the exact location and a stack trace of the error. The default behaviour of exceptions is much smarter: They will send all information to an appropriate target like a log file (this can be configured in the php.ini). So leave the exception alone and let it do its job.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.