How to patch holes?

1.
$num = $_GET['num']; //

$res = mysqli_query($connection, "SELECT * FROM `videos` ORDER BY `id` DESC LIMIT $num, 20");

Here it is possible to carry out an sql injection, how to fix it?

2.
mysqli_query($connection,"INSERT INTO `comment` (`name`,`text_comment`,`date`,`the primary objective of BCC`) VALUES('".$_POST['name']."','".$_POST['text']."', NOW(), '".$vidos['id']."')"); //


And here like is also possible, where the methods are and how to fix them?
June 27th 19 at 15:04
3 answers
June 27th 19 at 15:06
Solution
Use PDO (with placeholders) instead of mysqli the right way.
With the numbers at least can $num = intval($_GET['num']);
With strings harder, just Google protection from sql injection there are a number of functions of type php.net/manual/en/function.strip-tags.php
June 27th 19 at 15:08
Use prepared statements with placeholders.
June 27th 19 at 15:10
First substitution (PDO, prepared requests)
Secondly mysqli_escape and company

Find more questions by tags MySQLPHP