sql syntax in preventing sql injection

Asked Mar 19 '17 at 17:00

Active Mar 19 '17 at 17:00

Viewed 18 times

I'm new to sql and php and I know sql injection is a major problem. I've done some research but I've got a syntax error:

$q = $dbc->prepare("INSERT INTO threads (Username,Thread_title,Date_created)
            VALUES('$_SESSION[Username]', ? ,NOW())");
$q = $q->bind_param('s', $_POST['Topic']);

is this the right way to go about it?

asked Mar 19 '17 at 17:00

kiran darji

1

what's the error you get ? – hassan Mar 19 '17 at 17:00
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '1' at line 1 – kiran darji Mar 19 '17 at 17:02
Parameterize the username too. Also take out the `$q = ` on the binding. – chris85 Mar 19 '17 at 17:05
taking out the $q = makes $q an object. it needs to be a string for the mysqli_query – kiran darji Mar 19 '17 at 17:08

sql syntax in preventing sql injection

0 Answers0