Jump to content

Warning: mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement


Go to solution Solved by Jacques1,

Recommended Posts

Hello,

I have problem durring binding update query. I can't find what is causing problem.

public function Update(Entry $e)
    {
        try
        {
            $query = "update entry set string = $e->string,delimiter=$e->delimiter where entryid= $e->id";
            $stmt = $this->db->mysqli->prepare($query);
            $stmt->bind_param('ssi',$e->string,$e->delimiter,$e->id);

            $stmt->close();
           

        }
        catch(Exception $ex)
        {
            print 'Error: ' .$ex->getMessage();
        }
    }

When I run function update I'm getting next error:Warning: mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement

 

Can you help me to solve this problem ?

Edited by danchi
  • Solution

The problem is that you don't understand how prepared statements work.

 

The whole point of a prepared statement is to not insert the values directly into the query string. This causes the usual SQL injection vulnerabilities and bugs. Instead, we use parameters to keep the values separate from the actual query. So you first send a query template with certain placeholders to the database system:

$stmt = $this->db->mysqli->prepare('		
    UPDATE
        entry
    SET
        string = ?,
        delimiters = ?
    WHERE
        entryid = ?
'); 

After this template has been processed by the database system, you can bind concrete values to the parameters and execute the prepared statement:

$stmt->bind_param('ssi', $e->string, $e->delimiter, $e->id);
$stmt->execute();

Again: The whole point is to keep the values separate from the query itself so that they cannot interfere with each other. If you just stuff everything into one big string, then the database system doesn't know which parts belong to your query and which parts are the user-provided values. It will simply execute the entire string.

 

The try statement is also nonsense and downright dangerous. Printing the error message on the screen will expose internal data to the whole world. At the same time you lose important information like the exact location and a stack trace of the error. The default behaviour of exceptions is much smarter: They will send all information to an appropriate target like a log file (this can be configured in the php.ini). So leave the exception alone and let it do its job.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.