I have basic Website using HTML, PHP, MySQL.
HTML input:
C# - Developer's Guide "LIMITED EDITION"
becomes
In PHP :
C# - Developer\'s Guide \"LIMITED EDITION\"
In MySQL:
C# - Developer\'s Guide \"LIMITED EDITION\"
In PHP I use:
if(empty($_POST['book_title'])) {
$errors['book_title'] = TRUE;
} else {
$book_title = mysqli_real_escape_string($link, trim($_POST['book_title']));
}
$query1 = "INSERT INTO book(title) VALUES(?)";
if(!$errors && mysqli_stmt_prepare($stmt,$query1))
{
mysqli_stmt_bind_param($stmt, "s", $book_title) or die("Bind param failed");
if(!mysqli_stmt_execute($stmt)) {
$errors['table_book'] = TRUE;
}
} else {
$errors['table_book'] = TRUE;
}
EDIT: magic_quotes are turned off. And I'm using PHP 7.0.3.
How to get my HTML input, as it is, in PHP and MySQL too?
What is magic_quotes(I heard somewhere on blogs) if it can help me?
Ask me If you need any other info. Help me.
As suggested by 'Phil' in above comments and other SO queries (when searched with 'should i use mysqli_real_escape_string with prepared statement'),
Use only Prepared Statement rather than mysqli_real_escape_string() or combination of both.