1
Example:
$conexao = mysqli_connect("localhost", "user", "password", "my_db");
$pegaNome = $_POST['nome'];
function insere($conexao, $pegaNome) {
$nome = mysqli_real_scape_string($conexao, $nome);
$query = "INSERT INTO my_db (nome) VALUES ('{$nome}')";
$result = mysqli_query($conexao, $query);
return $result
}
Just with this function I already prevent any attempt of the end user to do Sqlinjection? What are the best ways to avoid?
Grateful!
Escaping characters does not solve the sql Injection problem, Prepared statements decrease the risk. See that answer
– rray