one way to make sure that sql injections NEVER happen is to use a prepared statement
perl has been doing it for ages, so by now it should be mainstream, yeah? I wish. but if you’re behind the curve, no worries, here’s how to do it. this is for a simple contact form.
1 2 3 4 5 6 7 |
$stmt = $mysqli->stmt_init(); //prepare the statement, use ?'s for where you want to put variables $stmt->prepare("insert into tbl_contact(contact_fullname,contact_phone,contact_email) values (?,?,?)"); //bind your variables to the statement, in order. "sss" means string-string-string $stmt->bind_param("sss", $_POST['fullname'], $_POST['phone'], $_POST['email']); $stmt->execute(); |
- use a question mark for every time you want to use a variable
- for bind_param, the “sss” means I am going to be substituting 3 strings for the question marks. if I said “sis” that would mean I have one string, then an integer, then a string