


I have been using prepared insert statements for some years and assumed it was binding parameters properly or would give an error but it seems not as the following php binds and inserts a record without any errors but changes a string which should be an int to a zero. So it may be ok for preventing SQL injection attacks but you would end up with a spurious record in the table. e.g.:

    $q = "INSERT INTO `table` (id1, id2) VALUES (?, ?)";
    $stmt = mysqli_stmt_init($dbc);
    $id1 = 'aaaaaaa';
    $id2= 'aaaaaaa';
    $result = $stmt->bind_param('ii', $id1, $id2);
    echo '<p>' . $result . '</p>'; // Trying to bind a string to an int returns true!
    echo $dbc->error; // nothing
    $stmt->execute(); // inserts record changing $id2 to zero but auto-increments primary key $id1
    echo $dbc->error; // nothing

此文件在具有Apache/2.2.14,PHP/5.3.1和MySQL 5.1.41的Xampp环境中运行.谁能告诉我发生了什么事?

This is running in an Xampp environment with Apache/2.2.14, PHP/5.3.1 and MySQL 5.1.41. Can anyone tell me what is going on?



I'm not an expert for sure, but at first look.You have:

$id1 = 'aaaaaaa';
$id2= 'aaaaaaa';
$result = $stmt->bind_param('ii', $id1, $id2);


Thing is your 'ii' parameter says that you will be binding integers! And in fact your $id1 and $id2 are strings. For strings you should go with:

$result = $stmt->bind_param('ss', $id1, $id2);


08-26 07:43