With these:

$band_id = $_SESSION['session_var'];
echo "band_id: " . $band_id;

$query="SELECT * FROM pic_upload WHERE band_id=$band_id";
echo "query: " . $query;

I get these:

band_id: 11
query: SELECT * FROM pic_upload WHERE band_id=11

SQL injections: Are these what I should use?

$db = new mysqli("localhost", "user", "pass", "database");
$stmt = $db -> prepare("SELECT priv FROM testUsers WHERE username=? AND
password=?");
$stmt -> bind_param("ss", $user, $pass);
$stmt -> execute();

And

$title = $_POST['title']; // user input from site

$dirtystuff = array("\"", "\\", "/", "*", "'", "=", "-", "#", ";", "<", ">",
"+", "%"); // define the cleaner

// clean user input (if it finds any of the values above, it will replace it
with whatever is in the quotes - in this example, it replaces the value with
nothing)

$title = str_replace($dirtystuff, "", $title);

and should I add something like these everywhere where user can input data
into database?

Reply via email to