mysqli prepared statements

one way to make sure that sql injections NEVER happen is to use a prepared statement

perl has been doing it for ages, so by now it should be mainstream, yeah? I wish. but if you’re behind the curve, no worries, here’s how to do it. this is for a simple contact form.

  • use a question mark for every time you want to use a variable
  • for bind_param, the “sss” means I am going to be substituting 3 strings for the question marks. if I said “sis” that would mean I have one string, then an integer, then a string