Use prepared statements and parameterized queries. These are SQL statements that are sent to and parsed by the database server separately from any parameters.
If you use PHP Data Objects you can work with prepared statements like this:
If you use PHP Data Objects you can work with prepared statements like this:
$preparedStatement = $db->prepare('SELECT * FROM employees WHERE name = :name');
$preparedStatement->execute(array(':name' => $name));
$rows = $preparedStatement->fetchAll();
No comments:
Post a Comment