You also might want to think about preparing your queries instead of putting the user input right in there.
$con = new mysqli(dbhost, dbuser, dbpass, dbname); $params[] = $_POST['email']; $query = "SELECT * FROM players WHERE email = ?"; $query = $con->prepare($query); $query->bind_param(str_repeat('s', count($params)), ...$params); $query->execute(); $result = $query->get_result();
Then when you want other fields just pop other ? in e.g.
$params[] = $_POST['email']; $params[] = $_POST['name']; $query = "SELECT * FROM players WHERE email = ? AND name = ?";
This goes a ways to secure you against an attack called SQL injection which is not good for business
Thank you so much for your reply, I had no idea how to be secure against SQL injections so this will definitely help!
Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink.
Hide child comments as well
Confirm
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
You also might want to think about preparing your queries instead of putting the user input right in there.
$con = new mysqli(dbhost, dbuser, dbpass, dbname);
$params[] = $_POST['email'];
$query = "SELECT * FROM players WHERE email = ?";
$query = $con->prepare($query);
$query->bind_param(str_repeat('s', count($params)), ...$params);
$query->execute();
$result = $query->get_result();
Then when you want other fields just pop other ? in e.g.
$params[] = $_POST['email'];
$params[] = $_POST['name'];
$query = "SELECT * FROM players WHERE email = ? AND name = ?";
This goes a ways to secure you against an attack called SQL injection which is not good for business
Thank you so much for your reply, I had no idea how to be secure against SQL injections so this will definitely help!