aetareq

I've developed a php script to connect to the mysql, get and store some info of the users. I've heard to write the php in prepared statement to prevent sql injection hacking. I'm quite unfamiliar with this term. So anyone can help me modifying my scripts in procedural prepared statement would be really so much appreciated. here's my code: <?php $ipaddress = ''; if (getenv('HTTP_CLIENT_IP')) $ipaddress = getenv('HTTP_CLIENT_IP'); else if(getenv('HTTP_X_FORWARDED_FOR')) $ipaddress = getenv('HTTP_X_FORWARDED_FOR'); else if(getenv('HTTP_X_FORWARDED')) $ipaddress = getenv('HTTP_X_FORWARDED'); else if(getenv('HTTP_FORWARDED_FOR')) $ipaddress = getenv('HTTP_FORWARDED_FOR'); else if(getenv('HTTP_FORWARDED')) $ipaddress = getenv('HTTP_FORWARDED'); else if(getenv('REMOTE_ADDR')) $ipaddress = getenv('REMOTE_ADDR'); else $ipaddress = 'UNKNOWN'; $servername = "localhost"; $username = "username"; $password = "password"; $dbname = "db_test"; $con = mysqli_connect($servername, $username, $password, $dbname); $sql = "SELECT time FROM userinfo WHERE ipaddress='$ipaddress'"; $result = mysqli_query($con, $sql); if (mysqli_num_rows($result) > 0) { $row = mysqli_fetch_array($result); $rectime = $row['time']; $curtime = date("Y-m-d H:i:s"); $diff = round((strtotime($curtime) - strtotime($rectime))/(60*60)); if ($diff > 0) { $sqli = "INSERT INTO userinfo (id, ipaddress, time) VALUES ('', '$ipaddress', NOW()) ON DUPLICATE KEY UPDATE time = NOW();"; mysqli_multi_query($con, $sqli); echo "welcome again"; } else { echo "welcome"; } } else { $sqli = "INSERT INTO userinfo (id, ipaddress, time) VALUES ('', '$ipaddress', NOW());"; mysqli_multi_query($con, $sqli); echo "welcome"; } mysqli_close($con); ?>