Hi I only know the basics fundamental of PHP and I'm rushing a school project because the deadline is near, my code is prone to SQL injection
but no matter how many documentation I have read I don't know where to start as I can't focus. can somebody help or guide me how to evolve this code into prepared statements or prevent SQL injections? so I will have a guide and basis as most of my codes used booleans, sessions or GET id.
here are the sample codes that I want to see how the multiple inserting function(Insert into two tables) turn them into prepared statements or prevent SQL injection. Thank You so Much.
<?php
if($_SERVER['REQUEST_METHOD'] == 'POST'){
$lrn=$_POST['lrn'];
$ln=$_POST['lname'];
$fn=$_POST['fname'];
$mn=$_POST['mname'];
$sy=$_POST['schoolyear'];
$grade=$_POST['grade'];
$section=$_POST['section'];
$adviserid=$_POST['adviserid'];
$user = $_SESSION['user_id'];
include 'functions/connectdb.php';
if ($sql=mysqli_query($con,"INSERT INTO student_info(lrn_no,lastname,firstname,middlename)
VALUES ('$lrn','$ln','$fn','$mn')")){
$last_id = mysqli_insert_id($con);
mysqli_query($con, "INSERT into student_class (student_id,school_year,grade,section,adviser_id)
VALUES ('$last_id','$sy','$grade','$section','$adviserid') ");
echo "Succesfully Added Student";
} else {
"Failed to Submit.";
}
}
mysqli_close($con);
?>
The db connection
$dbhost ="localhost";
$dbuser ="root";
$dbpass ="";
$dbname ="jhs";
if (!$con = mysqli_connect($dbhost,$dbuser,$dbpass,$dbname))
{
die("Failed to connect: " . mysqli_connect_error());
}
