I know I have to prevent db injections by using the mysqli_real_escape_string()
but where best should I use it?
When declaring variables? e.g.
$username = mysqli_real_escape_string($link, $_POST['username']);
OR
inside the SELECT
/ INSERT
mysql queries?
OR
somewhere else?
Also, do I have to prevent db injection in md5 password? e.g.
$password = mysqli_real_escape_string($link, md5($_POST['password']));