cannot understand sql injection explanations

Asked Jan 27 '18 at 17:52

Active Jan 27 '18 at 17:52

Viewed 19 times

Could somebody correct this statement to stop sql injection, I have read through lots of answers but don't understand how to do it.

 $conn = new mysqli($servername, $username, $password, 
 $dbname);
 if ($conn->connect_error) {
 die("Connection failed: " . $conn->connect_error);
 } 

 $sql = "UPDATE daydxx SET $T1 ='$Dsc', $T2 = '$SV'  WHERE date = '$Dt' AND 
 $T1 = '' OR date = '$Dt' AND $T1 IS NULL ";

 if ($conn->query($sql) === TRUE) {  etc etc

asked Jan 27 '18 at 17:52

Dai13

Use a framework that does all that and more like mysqli or PDO – juergen d Jan 27 '18 at 17:53
Heh @juergend ... "*like mysqli or PDO*" ... I think you meant ... – IncredibleHat Jan 27 '18 at 17:55
worked it out restated the variable $Dsc = $_REQUEST['Dsc']; $Dc = str_replace("'", "\'", $Dsc); – Dai13 Jan 28 '18 at 01:18

cannot understand sql injection explanations

0 Answers0