How can I do this piece of code in a safe way to prevent SQL injections?
I tried to read the php manual of mysqli->prepared
but I was not able to convert it since I'm new to PHP development.
NOTE:
DAL::$conn
is $msqli = new mysqli()
$objects = array();
if($id != null)
{
$sql = "select * from Pages where id = ".$id;
}
else
{
$sql = "select * from Pages";
}
$result = mysqli_query(DAL::$conn, $sql);
if (mysqli_num_rows($result) > 0) {
// output data of each row
$records = 0;
while($row = mysqli_fetch_assoc($result)) {
$records++;
$data = new Pages();
$data->id = $row["id"];
$data->title = $row['title'];
$data->content = $row["content"];
$objects[$records] = $data;
}
} else {
//No results
}