This question is three fold and regarding security with GET.
At the moment I am using a script that works on prepared statements and MAKES connections to mysql e.g.
$userinput= $_GET["userinput"];
// make connection
$mysqli = new mysqli("$servername", "$username", "$password", "$databasename");
$mysqli->set_charset('utf8');
$userinput= $_GET["userinput"];
$stmt = $mysqli -> prepare('SELECT one, two, three FROM tablename WHERE unique = ?');
if (
$stmt &&
$stmt -> bind_param('s', $userinput) &&
$stmt -> execute() &&
$stmt -> store_result() &&
$stmt -> bind_result($one, $two, $three)
)
{
WHILE LOOP HERE
}
?>
it is using link data passed alone in the URL e.g.
<a href="index.php?userinput=3">link3</a>
Question 1
Security wise, I think the above is secure from MySQL injection attack (please correct and provide example if possible if this is not the case). However, for extra security I would also like to use a fallback in the code e.g. real_escape_string (just in case there are any errors in my coding etc).
To do this, would I simply change
$userinput= $_GET["userinput"];
to
$uncheckedinput = $_GET["userinput"];
$userinput = $mysqli->real_escape_string($uncheckedinput);
or do I need to do something else?
Question 2
I would also like to use the variable $userinput on the page in non database php code e.g.
<?php if (empty($userinput )) {
echo "no data submitted, try again";
}
?>
Is there anyway the above could be manipulated maliciously e.g. should sanitation be used or is it not really needed and if so, how would I do this? I tried using :
mysqli_real_escape_string($mysqli, $userinput);
but this left me with an output like "userdata /'" if the data was manipulated to include a ' in the url.
Question 3
$userinput= $_GET["userinput"];
Should I be using ' or " in this line?
Any help would be appreciated and code examples greatly appreciated :)