This question already has an answer here: As the title says: is this code safe enough from SQL injection?Is there a better way to prevent SQL injection?\[code\]<?php$hostname = "xxx";$username = "xxx";$dbname = "xxx";$password = "xxx";$usertable = "xxx";$yourfield = "xxx";$db = new PDO('mysql:host='.$hostname.';dbname='.$dbname.'', $username, $password);$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);$query = $db->prepare("INSERT INTO `$usertable` (first_name, last_name, username) VALUES 
first_name, :last_name, :username)");$query->bindValue(':first_name', $_POST['first_name']);$query->bindValue(':last_name', $_POST['last_name']);$query->bindValue(':username', $_POST['username']);$query->execute();?>\[/code\]
first_name, :last_name, :username)");$query->bindValue(':first_name', $_POST['first_name']);$query->bindValue(':last_name', $_POST['last_name']);$query->bindValue(':username', $_POST['username']);$query->execute();?>\[/code\]