0

For learning purposes

This code: 

<?php

        if (isset($_POST['submit'])) {
                # code...
                $code = $_POST['code'];
                $cname = $_POST['cname'];
                $address = $_POST['address'];
                $email = $_POST['email'];
                $contact = $_POST['contact'];

                $newCustomer = mysqli_query($con,"INSERT INTO `tbl_customer`(`code`, `name`, `address`, `cemail`, `ccontact`) VALUES ('$code','$cname','$address','$email','$contact')") or die(

                        '<div class="alert alert-warning">
                            <strong>Error!</strong> Code is already in use.
                          </div>'
                        );

                echo '<div class="alert alert-success">
    <strong>Success!</strong> You inserted a new Customer.
  </div>';


        }
 ?>

is subject to sql injection. I am still learning so can you help me with how to prepare this statement to avoid sql injection? I need some implantation examples that are specific to this use case. please don't refer me to another post.

haytham
  • 502
  • 4
  • 22
  • 1
    The manual is a great place to start :-D [`mysqli_prepare()`](http://php.net/manual/en/mysqli.prepare.php) – Qirel Jan 09 '17 at 17:54
  • You're going to get referred to another post because this has been covered many, many times before. As Qirel points out, the documentation is a good place to start. This isn't some ancient mystery, it's a common practice, so don't be afraid to read up on the basics. There's even a [whole section full of examples](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) you can work from. Just apply the same patterns used there to your example and you'll be fine. – tadman Jan 09 '17 at 18:03
  • ok thanks, are there ways to review that code once its done?. I mean I want to use this but won't be sure if the code is safe. – haytham Jan 09 '17 at 18:10

0 Answers0