Hi all,

I'm trying to alter a piece of code to include the mysqli_real_escape_string to avoid sql injections and I would like to ask if the following code is properly written as I'm not quiet sure how to test it.

Original code:

PHP Code:
       if(($rss_title !='') && ($rss_url !=''))
       {
           
$query=mysqli_query($GLOBALS["___mysqli_ston"], "insert into rss (title, url, published, lang) values ('$rss_title', '$rss_url', '1', '$_SESSION[session_lang]')");
       } 

Altered code:

PHP Code:
       if(($rss_title !='') && ($rss_url !=''))
       {
           
$query=mysqli_query($GLOBALS["___mysqli_ston"], "insert into rss (title, url, published, lang) values ('$rss_title', '$rss_url', '1', '$_SESSION[session_lang]')");
        
$query mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $rss_title$rss_url$_SESSION);
       } 
Thanks