How do i protect against SQL Injection if i wrote the site in PHP procedural? Can i use prepared statements? Or exists other ways?
example:
$query ="INSERT INTO users (name,username,password,email,gender) VALUES ('$name','$username','$password','$email','$gender')";
$result = mysqli_query($connect,$query) or die ( "Error : ". mysqli_error($connect) );
Yes, you can write prepared statements with bound parameters in procedural code using mysqli. Here's a solution based on your example.
$query ="
INSERT INTO users (name, username, password, email, gender)
VALUES (?, ?, ?, ?, ?)";
if (($stmt = mysqli_prepare($connect, $sql)) === false) {
die("Error : " . mysqli_error($connect));
}
if (mysqli_stmt_bind_param($stmt, "ssss", $name, $username, $password, $email, $gender) === false) {
die("Error : " . mysqli_stmt_error($stmt));
}
if (mysqli_stmt_execute($stmt) === false) {
die("Error : " . mysqli_stmt_error($stmt));
}
$result = mysqli_stmt_get_result($stmt);
if (mysqli_errno()) {
die("Error : " . mysqli_stmt_error($stmt));
}
... fetch from $result ...
