Is there a better, more “Standard” way to perform SQL queries in PHP without using a framework?

Question

For the longest time, I\'ve been using the following basic formatting for SQL queries within my PHP:

$sql = \"SELECT * FROM `user-data` WHERE `id` = \'\".$id.\"\         


        

Answer 1

You can use mysqli to write little place holders in you SQL and then fill them in. It should be less susceptible to SQL injection attacks than string concatenation.

$conn = new mysqli($server, $username, $password, $database);
$stmt = $conn->prepare('SELECT * FROM people WHERE age = ? AND name != ?');
$stmt->bind_param('is', 20, "Austin");