Important is that any parameter in a query needs to be parameterized. It doesn't matter is your query is select, insert, update or delete kind of query, since every query can be used for injection.
Let's say that you want to have basic SELECT query, like:
SELECT `column1` FROM `table1` WHERE `column2` = 11;
You can parametarize it with code like:
$column2Value = 11; $sql = mysqli->prepare("SELECT `column1` FROM `table1` WHERE `column2` = ?"); $sql->bind_param("s", $column2Value); $sql->execute();
- Every queries should be parameterized
- Every argument to query should be treated as hostile as possible no matter their source