I am currently working on the store page for my website. I am connecting to my database where data for the products is stored. The page has no user input, it just displays the data such as product name, price etc. My question is, can/should I implement prepared statements in order to prevent from SQL injection. If I can't use prepared statements are there any other forms of security I should implement in my website?
Here is my current code:
<?php
$connect = mysqli_connect('localhost', 'root','', 'cart');
$query = 'SELECT * FROM products ORDER by id ASC';
$result = mysqli_query($connect, $query);
if ($result):
if(mysqli_num_rows($result)>0):
while($product = mysqli_fetch_assoc($result)):
?>
<div class="col-sm-4 col-md-3" >
<form method="post" action="view_product.php?action=add&id=<?php echo $product['id']?>">
<div class="products"><a href="view_product.php?product=<?php echo $product['id'] ?>">
<img src="<?php echo $product['image'];?>" />
</a>
<h4 class="text-dark"><a href="view_product.php?product=<?php echo $product['id'] ?>">
<?php echo $product['name'];?>
</a>
</h4>
<h4><?php echo $product['price'];?></h4>
</div>
</form>
</div>
<?php
endwhile;
endif;
endif;
?>
When clicking on a certain product it redirects to another page where additional info is displayed for the particular product. I am using a query for that, could I use prepared statements for it?
<?php
$query = 'SELECT * FROM products WHERE id = "'.$_GET['product'].'"';
?>
Thank you in advance!
