Hi i know parameterized statements and escaping data is good practice for preventing SQL injection. But i was curious to see it in action so i set up a database to see . The problem is i keep getting a error or its not injecting correctly.
$ans = $_POST['answer'];
$query = "SELECT username from `members` where password = '$ans'";
$c = $db ->query($query);
$c=$c->fetch(PDO::FETCH_ASSOC);
echo $c['username'];
I tried the typical 'Or 1=1' injections and its variations and i keep coming up with errors on the fetch or it not working at all.