asked on is a prepared statement still safe from Sql injection if not using ?
I just want to select pretty much all records from a particular table. There is no WHERE clause and I don't think I have a place for the "?" So, is this still safe from SQL injection or do I have to change something?
$stmt = $link->prepare("SELECT `contact_name`, `contact_email`, `contact_message`, `contact_date` FROM `contact_form` ORDER BY `contact_id` DESC");
$stmt->execute();
$result = $stmt->get_result();
$numRows = $result->num_rows;
if($numRows > 0) {
while($row = $result->fetch_assoc()){
$db_name = clean_user_input($row['contact_name']);
$db_email = filter_var($row['contact_email'], FILTER_SANITIZE_EMAIL);
$db_message = clean_user_input($row['contact_message']);
$db_date = clean_user_input($row['contact_date']);
}
}
PHPMySQL Server
Last Comment
Julian Hansen
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thank you!
You are welcome.