I have been given a project to complete, in the backend there are SQL statements doing various things, as you'd expect.
In the past I have used PDO to construct SQL queries that use parameterisation to avoid injection attacks.
Whilst reading through the code I noticed many queries in the form of:
$sql = "SELECT * FROM detail WHERE email ='$email'";
$query = mysqli_query($dbcon, $sql);
Yes it is,
But you can use this with mysqli : http://php.net/manual/en/mysqli.prepare.php
So with your data it will be like :
$prepare = $dbcon->prepare("SELECT * FROM detail WHERE email = ?"); $prepare->bind_param("s", $email); $prepare->execute();