I have been trying update this SQL select query to a parmetized query so it is not vulnerbale to SQL injection. I have tried hundreds of different combinations, I have looked at hundreds of web resources and questions on Stack Overflow but I still cannot get it to work.
function SQLReturnOneCustomerValue($number,$value){
global $host,$username,$password,$database;
$SQL_query = "select " . $value ." from customer where CustomerNumber =". $number . " limit 1";
$DataB_link = new mysqli($host, $user, $pass) or die("Could not connect to host.");
$DataB_link->query("SET NAMES 'utf8'");
$DataB_link->select_db($database) or die ("Could not find or access the database.");
$result = $DataB_link->query($SQL_query) or die ("Wrong Number / error");
$result->data_seek( 0); $output = @$result->fetch_array()[0] or die ("Wrong Number / error");
return $output;
}
I know how to write a parametized query but how do I do it in a PHP function.
Just a point in the right direction is all I need.
Thank you for your time.