To avoid your code be vulnerable, especially for preventing SQL injection. You may need the mysqli_* function and prepare statement of it to make it. I will make some examples, such like this:
The SELECT sentence like this:
$stmt = $conn->prepare(‘SELECT column_name FROM table_name WHERE column_name = ?’);
$result = $stmt->get_result();
The INSERT sentence like this:
$stmt = $conn->prepare(‘INSERT INTO table_name(column_name_f, column_name_s) VALUES(?,?)’);
$stmt->bind_param(‘ss’, $var_name_f, $var_name_s);
So the only question you guys want to know is that mysterious ‘s’.
Not other mean, just String.
And other’s just as the word the said.
- bind_param which bind param like $var_name_f with the first question mark in this string(’s’) format.
- execute means that the statement will execute the sql sentence.
- close, just close connection;