<?php
// -- PULLING IN PRODUCTS TO READ OUT TO USER -- //
$stmt = ("
SELECT
products.ID,
products.title,
products.category,
products.location,
products.price,
products.negotiable,
products.description,
products.photo,
products.user_id
FROM
products");
$result = $db->query($stmt);
foreach ($result as $row) {
$product_id = $row['ID'];
$title = htmlspecialchars($row['title'], ENT_QUOTES); // User input, prevent first order XSS
$category = $row['category'];
// local variable for remainder, ensuring to use htmlspecialchars() for any user input that will be read out to browser
}
// -- INSERTING PRODUCTS TO MAIN PRODUCT PAGE USING PREPARED STATEMENT -- //
// Incoming user input from some form
// Assign input to local variables
// Probably should validate data
$null_value = null; // To bind null values... I'm lazy
$stmt = $db->prepare("
INSERT INTO
products
VALUES
(?, ?, ?, ?, ?, ?, ?, ?, ?)");
$stmt->bind_param('sssssssss',
$null_value,
$title,
$category,
$location,
$price,
$negotiable,
$description,
$photo,
$user_id);
$stmt->execute();
$result = $stmt->get_result();