I have a form and post to file.php by AJAX like this:
<?php
$sql = $db->prepare("INSERT INTO warna SET id_warna='', nm_warna=? ");
$sql->bind_param("s", $nm_warna);
$sql->execute();
?>Is it safe? Or what must I do to make it safe?
</div>
分享 Yeah it is safe.
Prepared statements and parameterized queries are used to prevent SQL injections.
You've used the same thing, and that should avoid any user to play with your SQL queries.
PDO is a better option, which also speeds up your SQL queries.
分享
