You likely (because you didn’t post all the php and html involved) have two problems -
- When you output values in the form fields, you need to apply htmlentities() to them, right before outputting them, so that any html entities in the values cannot break the html markup.
- You need to use a prepared query when supplying any external, unknown, dynamic value to the query when it gets executed, so that any sql special characters in the values cannot break the sql query syntax, which is how sql injection is accomplished.
For the database statements, the PDO extension is the simplest to learn and use.
Here is typical PDO connection code -
$DB_HOST = ''; // database host name or ip address
$DB_USER = ''; // database username
$DB_PASS = ''; // database password
$DB_NAME = ''; // database name
$DB_ENCODING = 'utf8mb4'; // db character encoding. set to match your database table's character set. note: utf8 is an alias of utf8mb3/utf8mb4
$options = [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, // set the error mode to exceptions (this is the default setting now in php8+)
PDO::ATTR_EMULATE_PREPARES => false, // run real prepared queries
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC // set default fetch mode to assoc
$pdo = new pdo("mysql:host=$DB_HOST;dbname=$DB_NAME;charset=$DB_ENCODING",$DB_USER,$DB_PASS,$options);
For the query you have posted, a PDO prepared query would look like -
$sql = "UPDATE a_walking
// you likely have a WHERE clause in the above query that you didn't show
$stmt = $pdo->prepare($sql);