Thanks. That appears to be similar to what I'm doing, other than it
shows a
predetermined list, not sure how it helps me.
My guess is you're making a query string by adding the form input to it.
something like
$something = $_GET['something']
"SELECT stuff FROM table WHERE " . $something . " = 'something'"
That's bad and causes SQL injections because $something is not sanitized
first.
You want to do something like
$something = $_GET['something']
$stmt = "SELECT stuff FROM table WHERE ? = 'something'"
$stmt->bind_param("s", $something);
$stmt->execute();
by using the bind_param, it will sanitize $something, and you wont have
issues with apostrophes.
Andrew
--- Talisman v0.47-dev (Linux/riscv64)
* Origin: Smuggler's Cove - Private BBS (21:1/182)