Search the Community

Based on the comments on my previous question, took some tutorials on how to avoid injections on query. Does the code below prevents against it in any way.? Secondly, can you recommend a good article that writes well in how to secure input data by users. Please be kind with your comments.😉😉. Thankks in advance. The code works fine. <?php include 'db.php'; error_reporting(E_ALL | E_WARNING | E_NOTICE); ini_set('display_errors', TRUE); if(isset($_POST['submit'])) { $username = $_POST['username']; $password = ($_POST['password']); $sql = "SELECT * FROM customer WHERE username = ?"; $stmt = $connection->prepare($sql); $stmt->bind_param('s', $username); $stmt->execute(); $result = $stmt->get_result(); $count = $result->num_rows; if($count == 1) { while ($row = $result->fetch_assoc()) { if ($row['status'] == 'blocked') { echo'your account is suspended' session_destroy(); exit(); } else if($row['status'] == 'active') { if($username !== $row['username']) { echo '<script>swal.fire("ERROR!!", " Username is not correct. Check Again", "error");</script>'; } if($password !== $row['password']) { echo'<script>swal.fire("ERROR!!!", "Your Password is Incorrect. Check Again.", "error");</script>'; } if($username == $row['username'] && $password == $row['password']) { header('Location:cpanel/'); else { } }//if count }//while loop }//submit ?>

How does one go about converting an SQL query such as: SELECT * FROM members WHERE userid='$userid' AND code=$code' into a prepared statement for PHP. I understand how to use prepared statements however I'm having trouble with the * part of the query and I'd rather not have to write out all the table coulmns because I have about 20. EDIT: I'm using mysqli procedural