// Connect to database $conn = new PDO("mysql:host=localhost;dbname=mydatabase", "username", "password"); // Sanitize input value $value = $conn->quote($_POST['input']); // Execute select statement $stmt = $conn->query("SELECT * FROM mytable WHERE column=".$value); $results = $stmt->fetchAll();
// Connect to database $conn = new mysqli("localhost", "username", "password", "mydatabase"); // Sanitize input values $name = mysqli_real_escape_string($conn, $_POST['name']); $email = mysqli_real_escape_string($conn, $_POST['email']); // Create insert statement $sql = "INSERT INTO mytable (name, email) VALUES ('".$name."', '".$email."')"; // Execute insert statement if ($conn->query($sql) === TRUE) { echo "Record has been inserted successfully!"; } else { echo "Error: ".$sql."In this example, the input values are sanitized using mysqli_real_escape_string function before they are used in the insert statement. This prevents any malicious SQL code from being executed. Package library: mysqli Both PDO and mysqli libraries have their own implementation of the db qstr function, but they achieve the same goal of sanitizing input values for use in SQL statements.
".$conn->error; }