[Solved] How can I avoid SQL injection in my code below? [duplicate]

Question

As suggested, prepared statements are the best way to achieve good protection from SQL injection.

Shortened Example

You will need to add entries to fill in all columns you wish to insert.

$email = $_POST['e-mail'];
$fn = $_POST['firstname'];
$ln = $_POST['lastname'];

if ($stmt = $mysqli->prepare("INSERT INTO `newcartdb`.`orders`(Email,Firstname,Lastname) values(?,?,?)") {
    $stmt->bind_param("sss",  $email, $fn, $ln);

“sss” – represents the data type i.e “s” – string, “i” – integer for each entry.

values(?,?,?) – this is a placeholder for the bind_params statement so the ‘?’ will be replaced in sequential order with the values you place in the bind_params method

    $stmt->execute();

    $_SESSION['notice'] = "Table updated";
}

else{
    $_SESSION['notice'] = "Table could not be updated!";
}

Accepted Answer

As suggested, prepared statements are the best way to achieve good protection from SQL injection.

Shortened Example

You will need to add entries to fill in all columns you wish to insert.

$email = $_POST['e-mail'];
$fn = $_POST['firstname'];
$ln = $_POST['lastname'];

if ($stmt = $mysqli->prepare("INSERT INTO `newcartdb`.`orders`(Email,Firstname,Lastname) values(?,?,?)") {
    $stmt->bind_param("sss",  $email, $fn, $ln);

“sss” – represents the data type i.e “s” – string, “i” – integer for each entry.

values(?,?,?) – this is a placeholder for the bind_params statement so the ‘?’ will be replaced in sequential order with the values you place in the bind_params method

    $stmt->execute();

    $_SESSION['notice'] = "Table updated";
}

else{
    $_SESSION['notice'] = "Table could not be updated!";
}