This question already has an answer here:
- How can I prevent SQL injection in PHP? 28 answers
I am using MySQLi to prevent any further attacks to my website. I am using PHP 5.6.16, MySQL version of: 5.7.9, and using WAMP
I'm encountering the following error when searching for the user with some weird characters, like adding a ') character in the search box.
MySQL error # 1064 and SQLi vulnerability
How can I sanitize the text box input and prevent any weird or unrecognized characters to be searched?
Screenshot: 
Codes:
<?php
# Essential files, please don't erase it!
require_once("../functions.php");
require_once("../db-const.php");
session_start();
?>
<html>
<head>
<script src="script.js" type="text/javascript"></script><!-- put it on user area pages -->
</head>
<body>
<h1> View Profile </h1>
<hr />
<?php
if (logged_in() == false) {
echo "<script> window.alert(\"Please login first!\"); </script>";
redirect_to("login.php");
} else {
if (isset($_GET['username']) && $_GET['username'] != "") {
$username = $_GET['username'];
} else {
$username = $_SESSION['username'];
}
## connect mysql server
$mysqli = new mysqli(localhost, root, "", loginsecure);
# check connection
if ($mysqli->connect_errno) {
echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";
exit();
}
## query database
# fetch data from mysql database
$sql = "SELECT * FROM users WHERE username ='".$username."' LIMIT 1";
if ($result = $mysqli->query($sql)) {
$user = $result->fetch_array();
} else {
echo "<p>MySQL error no {$mysqli->errno} : {$mysqli->error}</p>";
exit();
}
if ($result->num_rows == 1) {
# calculating online status
if (time() - $user['status'] <= (5*200)) { // 300 seconds = 5 minutes timeout
$status = "Yes";
} else {
$status = "No";
}
# echo the user profile data
echo "<title> View Profile of: {$user['username']} </title>";
echo " Account Searcher: <br>
<form action=\"?username=\" method=\"get\">
Unique ID: <input type=\"text\" name=\"username\" placeholder=\"Searching for user: {$_GET['username']}\">
<input type=\"submit\" value=\"Search\">
</form><hr>
";
echo "Unique ID: {$user['id']}
<br>Username: {$user['username']}
<br>First Name: {$user['first_name']}
<br>Last Name: {$user['last_name']}
<br>Email: {$user['email']}
<br>Online? $status
<br>";
} else { // If user doesn't exists - trigger this event
echo " Account Searcher: <br>
<form action=\"\" method=\"get\">
Username: <input type=\"text\" name=\"username\" placeholder=\"User not found!\">
<input type=\"submit\" value=\"Search\">
</form><hr>
";
echo "<title> User doesn't exists! | Prospekt </title> <p><b>Error:</b> User doesn't exist! Please register first!</p>";
}
}
// showing the login & register or logout link
if (logged_in() == true) {
echo '<a href="../logout.php">Log Out</a> | <a href="../home.php"> Go to Home </a>';
} else {
echo '<a href="../login.php">Login</a> | <a href="register.php">Register</a>';
}
?>
<hr />
</body>
</html>
</div>
