Menu
Which of this is right and really safe?
Using prepared statements:
$stmt= $db->prepare("INSERT INTO books (title) VALUES (?)");
$booktitle=$_POST['booktitle'];
$stmt->bind_param('s', $booktitle);
$stmt->execute();
Or using escape function :
$unsafe_variable = $login;
$safe_variable = mysqli_real_escape_string($unsafe_variable);
$stm=mysqli_query($db,"SELECT post_amount FROM users WHERE login='" . $safe_variable . "'");
$stmone=mysqli_fetch_assoc($stm);
$stmtwo=implode($stmone);
echo($stmtwo);
Please, help to deal with it.
The first option is way, way better. I can't stress this enough. Not only does it ensure you always take care of things automatically, but it also gives you cleaner code. If you don't use prepared statements, all it takes is one miss in your sanitation and you're wide open for attacks. Hell, prepared statements are half the reason mysqli was introduced in the first place.
150
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
