one way to make sure that sql injections NEVER happen is to use a prepared statement
perl has been doing it for ages, so by now it should be mainstream, yeah? I wish. but if you’re behind the curve, no worries, here’s how to do it. this is for a simple contact form.
$stmt = $mysqli->stmt_init();
//prepare the statement, use ?'s for where you want to put variables
$stmt->prepare("insert into tbl_contact(contact_fullname,contact_phone,contact_email)
values (?,?,?)");
//bind your variables to the statement, in order. "sss" means string-string-string
$stmt->bind_param("sss", $_POST['fullname'], $_POST['phone'], $_POST['email']);
$stmt->execute();
- use a question mark for every time you want to use a variable
- for bind_param, the “sss” means I am going to be substituting 3 strings for the question marks. if I said “sis” that would mean I have one string, then an integer, then a string