Mudsaf Posted August 22, 2013 Share Posted August 22, 2013 Hello, i'm wondering does MySQLi function.. mysqli_prepare() ..prevent SQL injections (check link) http://stackoverflow.com/questions/14011899/mysqli-real-escape-string-should-i-use-it Link to comment Share on other sites More sharing options...
justsomeguy Posted August 22, 2013 Share Posted August 22, 2013 If you pass all user-entered data as bound parameters in a prepared query then the data will be properly escaped. Link to comment Share on other sites More sharing options...
Mudsaf Posted August 22, 2013 Author Share Posted August 22, 2013 I'm not quite following, so basically if i receive $_POST what was posted at INPUT form and lets say the input form name = test //Does it work like this & what ist he question mark at SQL sentence. Is it the first binded parameter?. if ($stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=?")) {$stmt->bind_param("s", $_POST['test']);$stmt->execute(); Link to comment Share on other sites More sharing options...
justsomeguy Posted August 22, 2013 Share Posted August 22, 2013 Yes, the question marks are placeholders for bound parameters. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now