How do I convert these codes into prepared statements. Please? I am building a web app in php and have various instances where I haven't used prepared statements. Kindly help me with this one. Thanks.
Also, how efficiently do prepared statements prevent SQL injections? Do I need to totally stop worrying about sql injection after using them or there are other security measures I need to use afterwards? If there is, kindly advice.
<?php
$cid = $_GET['view'];
$ret = mysqli_query($data, "select * from farmerfruit,fruit,fruitprogress where farmerfruit.fruit_id = fruit.id AND farmerfruit.progress_id = fruitprogress.progressid AND farmerfruit.farmerfruitid='$cid'");
$cnt = 1;
while ($row = mysqli_fetch_array($ret)) {
?>
<div id="page">
<!-- App Header -->
<div class="appHeader bg-primary text-light">
<div class="left">
<a href="javascript:;" class="headerButton goBack">
<i class="fi fi-rr-angle-left"></i> </a>
</div>
<div class="pageTitle"><?php echo $row['name']; ?></div>
<div class="right">
<a href="#" class="headerButton">
<i class="fi fi-rr-heart"></i> </a>
</div>
</div>
<!-- * App Header -->
<!-- App Capsule -->
<div id="appCapsule">
<!-- carousel -->
<div class="carousel-full owl-carousel owl-theme product-page">
<div class="item">
<img src="assets/img/lazyload.svg" data-src="../admin/upload/fruits/<?php echo $row['image']; ?>"
alt="alt" class="imaged w-100 square lazy">
</div>
</div>
<!-- * carousel -->
<div class="section full">
<div class="wide-block pt-2 pb-2 product-detail-header">
<h1 class="title"><?php echo $row['name']; ?></h1>
<div class="text mt-1 truncate-3"><?php echo $row['description']; ?> in Stock</div>
<div class="detail-footer">
<!-- price -->
<div class="price">
<div class="old-price no-line">Curent Status</div>
<?php echo $row['detail_progress_status']; ?>
</div>
<!-- * price -->
<!-- amount -->
<div class="amount">
<div class="old-price">Seedling: <span style="font-weight: 700">Ksh.
<?php echo $row['seedling_price']; ?></span></div>
</div>
<!-- * amount -->
</div>
<?php
$uri = $_SERVER['REQUEST_URI'];
$update = $row['progress_id'];
$updateactive_status = $row['active_status_id'];
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$updateprogress = "UPDATE farmerfruit SET progress_id='$update' + 1, farm_active= '$updateactive_status' WHERE farmerfruitid='$cid'";
if (mysqli_query($data, $updateprogress)) {
echo "Record updated successfully";
header("Location: $uri");
} else {
echo "Error updating record: " . mysqli_error($data);
}
mysqli_close($data);
}
?>
<form method="post" action="">
<?php echo $row['button_status']; ?>
</form>
</div>
</div>
<div class="section full mt-2 mb-3">
<div class="section-title">What Happens in this Stage</div>
<div class="wide-block pt-2 pb-2">
<?php echo $row['what_happens']; ?>
</div>
</div>
<div class="section mt-1 mb-4">
<?php echo $row['what_needed']; ?>
</div>
</div>