Retrieving Form Data Safely in PHP Database
It’s possible to use placeholders with SELECT statements just as you do with INSERT, UPDATE, or DELETE statements. Instead of using query() directly, use prepare() and execute(), but give prepare() a SELECT statement. However, when you use submitted form data or other external input in the WHERE clause of a SELECT, UPDATE, or DELETE statement, [ [ ...]