I'm currently setting up php scripts for my app and I'm abit clueless about how to obtain a level of safety to prevent injections to the sql server.
there are a few scripts that receive input from the app and not from the user directly such as content browsing and content rating, altho it is eventually an input.
the script that does receive user direct input as "name
" and "creator name
" is this :
$utc_str = gmdate("M d Y H:i:s", time());
$TIMESTAMP = strtotime($utc_str);
$DATA = $_POST['DATA'];
$NAME = $_POST['NAME'];
$CREATOR = $_POST['CREATOR'];
if(strlen($NAME) > 15 || strlen($CREATOR) > 15) exit("Error 2");
$stmt = $connect->prepare("INSERT INTO `ugcl` (`DATA`,`NAME`,`CREATOR`,`CREATEDSTAMP`)
VALUES (?, ?, ?, ". $TIMESTAMP .")");
$stmt->bind_param("sss", $DATA, $NAME, $CREATOR);
if($stmt->execute())
{
echo "Successs";
}
else
{
echo "Error";
}
should i use bind params in all of the scripts that receive input? is there any thing else that is recommended?