0

我在查询中使用了 bind_param() 成员函数,但我的代码出错了。这是我的一段代码:

<?php

session_start();
include_once 'functions.php';
loging(basename(__FILE__));
if (!isset($_SESSION['user'])) {
    redirect('login.php');
}

$day_id = date('w');

$database = new mysqli('127.0.0.1', 'user', 'user', 'kantin');
$sesi = $_POST['sesi'];
$lauk = $_POST['lauk'];
$sayur = $_POST['sayur'];
$minuman = $_POST['minuman'];
$user = $_SESSION['username'];

$query_user = "SELECT * FROM user WHERE username LIKE '" . $user . "'";
$statement_user = $database->query($query_user);
$row_user = $statement_user->fetch_assoc();
$id_user = $row_user['user_id'];

$query_sesi = "SELECT * FROM sesi WHERE sesi LIKE '" . $sesi . "'";
$statement_sesi = $database->query($query_sesi);
$row_sesi = $statement_sesi->fetch_assoc();
$id_sesi = $row_sesi['sesi_id'];

$query_alt_id = "SELECT * FROM alternatif WHERE id_hari='" . $day_id . "' AND id_sesi= '" . $id_sesi . "' AND lauk_alt LIKE '" . $lauk . "'";
$statement_alt_id = $database->query($query_alt_id);
while ($row_alt_id = $statement_alt_id->fetch_assoc()) {
    $id_alt = $row_alt_id['alternatif_id'];
    $id_menu = $row_alt_id['lauk_alt'];
    $id_hari = $row_alt_id['id_hari'];
    $id_sesi = $row_alt_id['id_sesi'];
}

$query_insert = "INSERT INTO update (`id_menu_alt`, `id_user`, `id_hari`, `id_sesi`) VALUES (?,?,?,?)";
$statement_insert = $database->prepare($query_insert);
$statement_insert->bind_param('iiii', $id_alt, $id_user, $id_hari, $id_sesi);
$statement_insert->execute();


redirect('today_menu.php');
?>

当我执行代码时,我收到错误:

致命错误:在第 40 行的 C:\xampp\htdocs\IBAD\Kantin_Pakoper\change_alternatif_process.php 中的非对象上调用成员函数 bind_param()

4

2 回答 2

2

You're getting an error from the call to prepare(), so it's returning false instead of a mysqli_stmt. To see the MySQL error message, do:

$statement_insert = $database->prepare($query_insert) or die($database->error);

In this case, the problem is that update is a MySQL reserved word. To use it as a table name, you need to put it in backticks:

$query_insert = "INSERT INTO `update` (`id_menu_alt`, `id_user`, `id_hari`, `id_sesi`) VALUES (?,?,?,?)";

I find it strange that you put all the column names in backticks, even though they don't need it, but you didn't put the table name in backticks.

Also, why aren't you using prepared statements for all the other queries? If you don't use bind_param(), you need to escape the strings before concatenating them into the queries.

于 2014-10-25T07:28:31.090 回答
0

Your query has not been prepared properly, probably because the syntax is incorrect. In future use an if statement in your prepare in order that you can avoid other operations if the syntax is wrong, as follows;

if($statement_insert = $database->prepare($query_insert)) {
   $statement_insert->bind_param('iiii', $id_alt, $id_user, $id_hari, $id_sesi);
   $statement_insert->execute();
}
elseif($database->error) {
   echo "Could not prepare SQL: " . $database->error;
}

The problem with your current SQL is that update is a special word in MySQL (and SQL in general), so you need to put the table name in the correct markup

$query_insert = "INSERT INTO `update` (`id_menu_alt`, `id_user`, `id_hari`, `id_sesi`) VALUES (?,?,?,?)";
于 2014-10-25T07:30:12.837 回答