Yesterday a post a question about how to Update using PDO, and some users told me that the folowing code line is very unsafe, because everybody can modifie my database. Well I undestrand why is not safe but what should I do with my variables berofe use it in mysql?
Example of unsafe use:
$bdd->prepare("UPDATE `articulos` SET `visto` = `visto` + 1 WHERE `ID` =$_GET['variable'] ");
I gues that if a use $_POST it still not secure.
And if I do this is unsafe too:
$getVar=$_GET['variable'];
$bdd->prepare("UPDATE `articulos` SET `visto` = `visto` + 1 WHERE `ID` =$getVar ")
So what is the safe way to insert variables in SQL queries?
Thak you.
