xxxxxxxxxx
$str = "<script>alert('Hacked')</script>";
echo htmlentities($str);
xxxxxxxxxx
//Connect
$unsafe_variable = $_POST["user-input"];
$safe_variable = mysql_real_escape_string($unsafe_variable);
mysql_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')");
//Disconnect
xxxxxxxxxx
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);
xxxxxxxxxx
<?php
// Create a new PDO instance
$db = new PDO('mysql:host=localhost;dbname=mydatabase', 'username', 'password');
// Prepare the SQL statement with placeholder
$stmt = $db->prepare('SELECT * FROM users WHERE username = :username');
// Bind the parameter value
$stmt->bindParam(':username', $username);
// Set the parameter value
$username = $_POST['username'];
// Execute the prepared statement
$stmt->execute();
// Fetch the results
$result = $stmt->fetchAll();
// Display the results
foreach($result as $row) {
echo $row['username'] . '<br>';
}
?>