<?php // -- PULLING IN PRODUCTS TO READ OUT TO USER -- // $stmt = (" SELECT products.ID, products.title, products.category, products.location, products.price, products.negotiable, products.description, products.photo, products.user_id FROM products"); $result = $db->query($stmt); foreach ($result as $row) { $product_id = $row['ID']; $title = htmlspecialchars($row['title'], ENT_QUOTES); // User input, prevent first order XSS $category = $row['category']; // local variable for remainder, ensuring to use htmlspecialchars() for any user input that will be read out to browser } // -- INSERTING PRODUCTS TO MAIN PRODUCT PAGE USING PREPARED STATEMENT -- // // Incoming user input from some form // Assign input to local variables // Probably should validate data $null_value = null; // To bind null values... I'm lazy $stmt = $db->prepare(" INSERT INTO products VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)"); $stmt->bind_param('sssssssss', $null_value, $title, $category, $location, $price, $negotiable, $description, $photo, $user_id); $stmt->execute(); $result = $stmt->get_result();
You have javascript disabled. You will not be able to edit any code.