I've been working on a little script to insert data into a database but I'm not very sure if it's secure this way. Some feedback would be pretty cool! So my question, is this a secure way of inserting data?
CODE:
function dbRowInsert($table, $data) {
require_once('../config.inc.php');
$buildData = null;
$countLoop = 1;
foreach($data as $field) {
$sep = ($countLoop!=count($data) ? ',' : '') ;
if((int)$field == $field) {
$buildData .= (int)$field . $sep;
} else {
$buildData .= '"' .mysqli_real_escape_string((string)$field) . '"' . $sep;
}
$countLoop++;
}
$fields = array_keys($data);
mysqli_query($conn, "INSERT INTO" . $table . "(`" . implode('`, `', $fields) . "`)
VALUES('" . $buildData . "')");
}
The best way is to use object-oriented style. That's the first. The second is to use methods
instead of
etc.
Read about it in manual, it's simple and you will find it very useful and safety.
http://php.net/manual/en/mysqli.prepare.php