$sql= "SELECT filmID, filmName, filmDescription, filmImage, filmPrice, filmReview FROM movies WHERE filmID = :filmID"; $stmt = $pdo->prepare($sql);$stmt->bindParam(':filmID', $filmID, PDO::PARAM_INT); $stmt->execute(); Here's how it goes. You add your simple SELECT query to your variable changing any variable to :something. You then prepare the query and finally bind the Parameter (the variable from the first line.) It's that simple and your database is protected from SQL injections. 
No comments:
Post a Comment