How can I prevent SQL syntax error when typing quotes, and prevent injection attacks as well?

Question

How can I make this code better, so that it wouldn't be as vulnerable to an SQL injection, and will allow the use of quotes in the input?

Read this [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Did you do any research? Just googling your title would have been enough. — ADyson, Sep 22 '22 at 06:27

score 0 · Answer 1 · answered Sep 22 '22 at 06:30

You should try to convert your code into below prepared statement code it will help to prevent from injections. You can also see the following link. https://www.w3schools.com/php/php_mysql_prepared_statements.asp

$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) {
  die("Connection failed: " . $conn->connect_error);
}

// prepare and bind
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) 
VALUES (?, ?, ?)");
$stmt->bind_param("sss", $firstname, $lastname, $email);

// set parameters and execute
$firstname = "John";
$lastname = "Doe";
$email = "john@example.com";
$stmt->execute();

How can I prevent SQL syntax error when typing quotes, and prevent injection attacks as well?

1 Answers1