SQL注入语句[重复]

This question already has an answer here:

How can I prevent SQL injection in PHP? 28 answers

by setting a page, to "register" users into a mysql database, and using the following code:

$name = $_POST['name'];
$saltedpwd = md5($definedsalt.$_POST['pwd']);
$email = $_POST['email'];

$query = "INSERT INTO `users` ( `name`, `pwd`, `email` ) VALUES ( '$name', '$saltedpwd', '$email' )";
$insert = mysqli_query($database, $query);

is it vulnerable to any possible SQL injections?

About the email activation code, using this code:

$address = $_GET['email'];

if (isset($_GET['val']) && (strlen($_GET['val']) == 64))
{
$validate = $_GET['val'];
}

if (isset($address) && isset($validate))
{
$query = "UPDATE users SET activated = 'true' WHERE ( email ='$address' AND validate='$val' ) LIMIT 1";
$result_query = mysqli_query($database, $query);

$get_member = ($database, "SELECT name FROM users WHERE email = '$email'");
$query_get = mysqli_fetch_array($get_member);
$validated_name = $query_get['name'];
$insert_validate = "INSERT INTO `member` ( `name` ) VALUES ( '$validated_name' );
$result_insert = mysqli_query($database, $insert_validate);

Is it then vulnerable to any SQL injections? I suppose yes, because I have to retrieve the value from a $_GET request, so I guess them are allowed to put something like:

page.php?email=address@address.com'SQL_INJECTION'&val=123456asdfghjkl

Am I wrong? If it is actually vulnerable, how do I prevent any injections?

</div>

Yes , it is ,

what if user enters the following line as name ?

','',''); ANY_SQL_QUERY_HERE --

then this

$query = "INSERT INTO `users` ( `name`, `pwd`, `email` ) VALUES ( '$name', '$saltedpwd', '$email' )";

becomes

INSERT INTO `users` ( `name`, `pwd`, `email` ) VALUES ( '','',''); ANY_SQL_QUERY_HERE --', '$saltedpwd', '$email' )";

You should NEVER use direct concatenation of strings to query , You must use prepared statements

More about prepared statements - http://php.net/manual/en/pdo.prepared-statements.php

for example , your query could be done like this

$query = "INSERT INTO users (name,pwd,email) VALUES (:name,:pwd,:email)";
$statement = $pdoDatabaseHandle->prepare($query);
$statement->bindValue(':name',$name);
$statement->bindValue(':pwd',$saltedpwd);
$statement->bindValue(':email',$email);
$statement-execute();

Overall SQL Injection is well explained at wikipedia - https://en.wikipedia.org/wiki/SQL_injection

I suggest looking into prepared statements. You are very susceptible of being attacked because the input isn't validated. Please refer here.