Super long question regarding MySQLi prepared statments in PHP. Here goes.
Is using MySQLi prepared statments completely invunerable to SQl injection? For example see my code below, am I correct in thinking I can use the $_POST variable straight from the user without any injection protection? For the purpose of this question please ignore validating data to make sure it is the correct format for my database (I always do that anyway), I'm more focussing on security here.
$mysqli=new mysqli($host, $user, $password, $database);
$stmt=$mysqli->stmt_init();
$stmt->prepare('INSERT INTO `tablename` (`column`) VALUES (?)');
$stmt->bind_param('s', $_POST['value']);
$stmt->execute();
$stmt->close();
$mysqli->close();
Also is my code correct? This only the second or third time I have written a prepared statement using the MySQLi class. Although it works, I was wondering if I am doing everything correctly? Could any part of that script be considered bad practice?
Lastly, how would I go about doing multiple prepared statements that use the same database connection? Do I just use the close() method on the $stmt and then initialize another $stmt class?
Thanks!
