I was wondering if someone would be able to help me alter my connect code & queries so that it helps to protect me from SQL injection?
Any advice would be amazing
I have the below code in a dbconfig.php file:
<?php
$servername = "localhost";
$username = "root";
$password = "fnjfi8378f3hrn39fb3";
$dbname = "crm4";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
?>
and the below on a web page running a query:
<?php
$sql = "SELECT format(count(id),0) as id3 FROM Orders
INNER JOIN membership_userrecords ON Orders.id = membership_userrecords.pkValue
where Year = 2017 AND membership_userrecords.memberID = '$memberid' AND membership_userrecords.tableName='Orders'
";
$result2 = $conn->query($sql);
$row = $result2->fetch_assoc();
echo $row["id3"];
?>