We had a project in school involving PHP, HTML and CSS. I wrote this code for the project and showed my teacher but he said it wasn't safe to use. I provided the code underneath.
<?php
$con = new mysqli($host, $dbuser, $dbpass, $dbname);
if(isset($_POST["title"]) && isset($_POST["message"]) && $_POST["message"] != '') {
$stmt = $con->prepare("INSERT INTO messages (title, message) VALUES (?, ?)");
$stmt->bind_param('ss', $_POST["title"], $_POST['message']);
$stmt->execute();
$stmt->close();
}
$sql = "SELECT * FROM messages";
$result = $con->query($sql);
if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
echo "<strong>Titel: </strong>" . " " . $row["title"] . "<br>
";
echo "<strong>Bericht: </strong>". " " . $row["message"] . "<br>
";
echo "<br />";
echo "<hr />";
}
} else {
echo "<b>No messages found!</b>";
}
I'd appriciate it if you guys could help me out.