0

I'm searching and searching but i didnt find the problem, hope you can help me:

"Warning: mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement in "mydir" on line 24"

<?php
class Tunier {

    // name of Tunier
    protected $tunier_name;
    // count of participants
    protected $participant_count;

    function __construct($name, $participant) {
        // mysqli connection
        $db = new mysqli('localhost','root','','tuniere') or die ('Cant connect to MySql Please try later again');

        $this->tunier_name = $name or die('---');
        $this->participant = $participant or die('---');

        // einrichtung der Tabelle
        $query = 'CREATE TABLE `?`(
                                                    `?` VARCHAR(32) PRIMARY KEY NOT NULL,
                                                    `?` INT(2) NOT NULL,
                                                    `id_spieler` INT(10) NULL                            
                                                    );';

        $stmt = $db->prepare($query);        
        $stmt->bind_param('sss', $this->tunier_name, $this->tunier_name, $this->participant_count);
        $stmt->execute();
    }
}
?>
Improve this question

2 Answers 2

Reset to default
3

I'm afraid that you are misusing the prepared statements feature. Bind parameters are intended to inject data into your queries (numbers, literal strings...) not to inject operators, identifiers or keywords. There's no way to protect against SQL injection if you accept SQL commands from untrusted sources. In other words: you cannot pass table or column names as bind parameters.

The SQL parser does not just replace all ? symbols blindly—it's a context sensitive tool. As a consequence, this:

`?`

... is not considered a placeholder but a literal identifier, thus the error.

E.g., in the following code:

SELECT *
FROM `?`
WHERE foo=? OR bar='?' OR dot='How are you doing?'

... we have up to ? symbols but the parser will only treat as placeholder the one at foo=? because, when code is parsed as SQL, that ? is the only one that's located where literal values are expected. So:

  1. The code will only run if you pass one parameter.
  2. The query fill fail if you don't have a table called ?.
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

i think i dont really unterstand your statement, im just inject data in my uery or not ?
@user2316478 I'll use different words: you cannot pass table or column names as bind parameters.
ah okay :), i thought i could like when im inserting data with the INSERT INTO statement
0

No need bind_param() for your table_name

Change Integer type for participant_count in bind_param()

$stmt->bind_param('ssi', $this->tunier_name, $this->tunier_name, $this->participant_count);
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.