I have prepared a series of queries which work. Now I am in the process of securing these queries against injection. I can do it fine when I have one variable in the query but have not been able to find how to do it for more with trial and error.
This is what I am doing (See $sql and $handle->execute()):
<?php
$sql = "SELECT FORMAT (z.PriceMultiplier * p.BasicTicketPrice,2)
AS totalPrice
FROM Zone z JOIN Production p
WHERE p.Title = :n AND z.Name = :n";
$handle = $conn->prepare($sql);
$zone = "$_POST[Zone]";
$prod = "$_POST[Production]";
$handle->execute(array(":n"=> $zone, $prod))
$conn = null;
$res = $handle->fetchAll();
foreach($res as $row) {
echo "<input name='Price' type='text' readonly='readonly' value=£".$row['totalPrice']."><br>";
}
?>
How do I assign the variables $zone and $prod to the statement in handle->execute()?
Thank you in advance.
[edit1: SOLUTION: Use ? instead of :n p.Title = ? AND z.Name = ? and just do $handle->execute(array($zone, $prod))]
[edit2: I do not believe this is a duplicate - the question is not how to prevent an injection attack... it is how to deal with multiple variables in doing so.]
