I'm converting old MySQL code to MySQLi, and running into some questions.
When selecting data from the database, is it necessary or strongly advised to use prepared statements, or can I safely escape my user-derived parameters like the sample below?
In a perfect world I'd have all the time I needed and my middle aged brain would be as excited by all this as it was when I wrote my original code 8 years ago, but neither of those conditions exist right now. ;(
Many thanks in advance.
function listRecords() {
global $db; // bring db connection into scope
$lname = mysqli_real_escape_string($db, $_GET['lastname']);
$sql = "SELECT * FROM members WHERE lastname='$lname'";
if(!$result = $db->query($sql)){
die($db->error);
}
while($row = $result->fetch_assoc()){
echo "<p>$firstname $lastname</p>";
}
$result->free();
}