0
\$\begingroup\$

I don't feel that my code is secure, and would like some help in using prepare statements for the following;

$track = "INSERT INTO resources_record (name,email,stage,format,topic,max_cost,mentor,total_cost,duration)
 VALUES ('".$fullName."', '".$email."', '".$stage."', '".$format."', '".$topic."', '".$cost."', '".$mentor."', '".$price."', '".$duration."')";
// Execute track query
 mysqli_query($con, $track);
asked Sep 3, 2015 at 4:38
\$\endgroup\$

1 Answer 1

1
\$\begingroup\$

You are right, your code is indeed very insecure. I'm not sure which part of using prepared statements you are having trouble with, and rewriting your code for you seems off-topic, but the guide for PDO prepared statements is very clear. It's first example is even an INSERT. The guide for Mysqli prepared statements also contains an example for an INSERT. Just choose either Mysqli or PDO and follow the example.

Your code is quite short, so I only have a couple of points about it:

  • your comment is not needed, as it doesn't add any information.
  • your code could use more spaces to increase readability. Eg after , and between ..
  • I would use the same names for the variables as the db columns have to avoid confusion. Your db column names also seem to be more accurate. I can easily understand the meaning of max_cost and total_cost, but it's not that clear what cost and price stand for.
answered Sep 3, 2015 at 6:06
\$\endgroup\$

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.