I have created a visitor sign in portal for on site visitors which they enter various details. once submitted it displays a badge and records the data into a database, my only worry is being self taught my coding isn't excellent and knowing how to use techniques to prevent SQL injection, I've used various things like mysqli_real_escape_string and mysqli_stmt_bind_param. is there anything else i can do to prevent SQL injection.

               <?php
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
try {
  $mysqli = new mysqli("","","","");
  $mysqli->set_charset("utf8mb4");
} catch(Exception $e) {
  error_log($e->getMessage());
  exit('Error connecting to database');
}

        $full_name = mysqli_real_escape_string($mysqli, $_POST['full_name']); 
        $company = mysqli_real_escape_string($mysqli, $_POST['company']);
        $visiting = mysqli_real_escape_string($mysqli, $_POST['visiting']);
        $vehicle = mysqli_real_escape_string($mysqli, $_POST['vehicle']);

$stmt = $mysqli->prepare("INSERT INTO signin (full_name ,company, visiting, vehicle) VALUES (?, ?, ?, ?)");
mysqli_stmt_bind_param($stmt, "ssss", $full_name, $company, $visiting, $vehicle );
        $stmt -> execute();
        echo "<p><h1>$full_name</h1></p>";
        echo "<p>Company: $company</p>";
        echo "Date:  " . date("Y-m-d") ."";

$stmt->close();
$mysqli->close();
header( "refresh:10;url=VisitorHomePage.html" );
?>

0 Answers