With these:
$band_id = $_SESSION['session_var'];
echo "band_id: " . $band_id;
$query="SELECT * FROM pic_upload WHERE band_id=$band_id";
echo "query: " . $query;
I get these:
band_id: 11
query: SELECT * FROM pic_upload WHERE band_id=11
SQL injections: Are these what I should use?
$db = new mysqli("localhost", "user", "pass", "database");
$stmt = $db -> prepare("SELECT priv FROM testUsers WHERE username=? AND
password=?");
$stmt -> bind_param("ss", $user, $pass);
$stmt -> execute();
And
$title = $_POST['title']; // user input from site
$dirtystuff = array("\"", "\\", "/", "*", "'", "=", "-", "#", ";", "<", ">",
"+", "%"); // define the cleaner
// clean user input (if it finds any of the values above, it will replace it
with whatever is in the quotes - in this example, it replaces the value with
nothing)
$title = str_replace($dirtystuff, "", $title);
and should I add something like these everywhere where user can input data
into database?
