- email, text, note
- VALUES(NOW(), ?, ?, ?, ?, ?");
- echo htmlspecialchars($_POST['author']);
- echo htmlspecialchars($_POST['email']);
- echo htmlspecialchars($_POST['text']);
+ email, text, note)
+ VALUES(NOW(), ?, ?, ?, ?)");
+ $stmt = $this->db->prepare($sql);
+ // Checks are needed here (no blank text,
+ // and a default author / email need to be set
+ $stmt->bind_param('ssss',
+ htmlspecialchars($_POST['author']),
+ htmlspecialchars($_POST['email']),
+ htmlspecialchars($_POST['text']),
+ $this->id);
+ $stmt->execute();