99 ochrana proti injecton útoku

www2databaze/pridat-zaka.php

@@ -7,21 +7,20 @@ if ($_SERVER ["REQUEST_METHOD"] === "POST") {
     require "assets/database.php";
 
     $sgl = "INSERT INTO student (first_name, second_name, age, life, college)
-VALUES ('" . $_POST["first_name"] . "','"
+        VALUES (?, ?, ?, ?, ?)";
-        . $_POST["second_name"] . "','"
+$statement = mysqli_prepare($connection, $sgl);
-        . $_POST["age"] . "','"
-        . $_POST["life"] . "','"
-        . $_POST["college"] . "')";
-//    var_dump($sgl);
-//    exit;
-    $result = mysqli_query($connection, $sgl);
 
-    if ($result === false) {
+mysqli_stmt_bind_param($statement, "ssiss", $_POST["first_name"], $_POST["second_name"], $_POST["age"], $_POST["life"], $_POST["college"]);
-        echo  mysqli_error($connection);
+mysqli_stmt_execute($statement);
-    } else {
+
-        $id = mysqli_insert_id($connection);
+//    $result = mysqli_query($connection, $sgl);
-        echo "Úspěšně vložen žák s ID: $id";
+//
-    }
+//    if ($result === false) {
+//        echo mysqli_error($connection);
+//    } else {
+//        $id = mysqli_insert_id($connection);
+//        echo "Úspěšně vložen žák s ID: $id";
+//    }
 }
 ?>
 <!DOCTYPE html>