sql injection 1

[janet24]

How would I fix this simple code to protect form SQL injection. Can I put the form values in an array and use mysql_real_escape_strinb(); ?


<?php
error_reporting(E_ALL);
ini_set('display_errors', '1');

$userid=$_POST['userid'];
$first=$_POST['first'];
$last=$_POST['last'];
$organ=$_POST['organ'];
$email=$_POST['email'];
$comments=$_POST['comments'];

@ $db=new mysqli('localhost', 'c4solutions', 'ftwash','ites');

if (mysqli_connect_errno())
{
echo 'Error: Could not connect to database.';
exit;
}

$query = "insert into itesuser values ('".$userid."','".$first."','".$last."','".$organ."','".$email."','".$comments."')";
$result = $db->query($query);
if ($result)
echo $db->affected_rows.' record has been inserted into the database<br> <span class="style1">Thank You.</span>';
$db->close();
?>

 

[jpadie]

wrap each value in mysql_real_escape_sting() for a start. and more generally why not read up on sql injection. i recall that phpsec.org has a section on it.