I'm currently using the following query to get values in mysql using php:
The code is working, but now I'm worried about sql injections.
How to prevent SQL injection?
<?php include_once("wp-config.php");
@$gameid = $_GET['gameid'];
global $wpdb;
$fivesdrafts = $wpdb->get_results(
"
SELECT ID
FROM $wpdb->posts
WHERE ID = ".$gameid."
"
);
?>
is this safe?
<?php include_once("wp-config.php");
@$gameid = mysql_real_escape_string($_GET['gameid']);
global $wpdb;
$fivesdrafts = $wpdb->get_results(
$wpdb->prepare(
"
SELECT ID
FROM $wpdb->posts
WHERE ID = %d", ".$gameid.")
);
?>