If you are using the current version of PHP language so, The SQL statements that are sent to and parsed by the database server in itself from any values. I think it is not possible for an attacker to inject malicious SQL if you use this example.
MYSQLI (for MySQL):
$qry = $dbConnection->prepare('SELECT * FROM student WHERE name = ?'); $qry->bind_param('s', $name); $qry->execute(); $result = $qry->get_result(); while ($row = $result->fetch_assoc()) { // do something with $row }
Question and answer is powered by AnsPress.io