How is my injection protection?

What do I need to do to prevent injections? In addition, if I have any statement/parameter errors, please tell me.

```
= 6 && $uLength ";

}
if ($emailLength >= 3 && $emailLength ";

}

if ($pLength >= 8 && $pLength ";

}
if ($cpLength >= 8 && $cpLength ";
}
$user_name = 'u904609109_dev';
$pass_word = '_____';
$database = 'u904609109_users';
$server = 'mysql.2freehosting.com';

$con = mysqli_connect($server, $user_name, $pass_word, $database);
if (mysqli_connect_error()) {
die('Connect Error: (' . mysqli_connect_errno() . ') ' . mysqli_connect_error());
}

echo 'Connect Error:' . $mysqli->host_info . "\n";

$result = mysqli_query($con, $database);
if (!$result) {
die("Failed to load " . mysqli_error($con));
}

$dblink = "SELECT * FROM users WHERE (username= '" . $username . "')";
$dblink->bind_param('username', $username);
if ($dblink) {
}

$result2 = mysqli_query($result, ($dblink));
$num_rows = mysqli_num_rows($result);

if ($num_rows > 0) {

$errorMessage = "Username already taken";

} else {
}
$dblink = $mysqli_query("SELECT * FROM users WHERE (email = '" . $email . "')");
$dblink->bind_param('username', $username);
if ($dblink) {
}
$result2 = mysqli_query($result, $dblink);
$num_rows = mysqli_num_rows($result);

if ($num_rows > 0) {

$errorMessage = "Email already taken";

} else {
}
$username = mysqli_real_escape_string($username);
$pass = mysqli_real_escape_string($pass);
$cpass = mysqli_real_escape_string($cpass);
$gender = mysqli_real_escape_string($gender);
$email = mysqli_real_escape_string($email);
$firstname = mysqli_real_escape_string($firstname);
$lastname = mysqli_real_escape_string($lastname);
$address = mysqli_real_escape_string($address);
$phone = mysqli_real_escape_string($phone);

$username= $_POST[($username)];
$pass= $_POST[($pass)];
$cpass= $_POST[($cpass)];
$gender= $_POST[($gender)];
$email= $_POST[($email)];
$firstname= $_POST[($firstname)];
$lastname= $_POST[($lastname)];
$address= $_POST[($address)];
$

Give me parameterized SQL or give me death!

Seriously. Use prepared statements! Don't use mysqli_query as that makes your code vulnerable to SQL Injection. By using prepared statements, you won't need the mysqli_real_escape_string calls anymore.

This code looks nasty:

$result1 = mysqli_query($con, $sql);
if (!$result1 || mysqli_query($con, $sql)) {
    die('Invalid query: ' . mysqli_error());
}

First you perform the query. If the query fails (i.e. it returns a false-ish value), you die, but if the query works then you call the query again. And if the second query is successful, then you call die.

THAT MAKES NO SENSE!

This code can't possibly be working:

$dblink = "SELECT * FROM users WHERE (username= '" . $username . "')";
$dblink->bind_param('username', $username);

And again, don't concatenate SQL queries! Use prepared statements!

Use better variable names!

What is $result1 and what is $result2? Describe what the result is for in the variable name.

You have a whole bunch of empty blocks, such as this:

if ($emailLength >= 3 && $emailLength ";
    
}

Also work on your indentation. Fixing the indentation, the if-logic and the string concatenation, and I suggest that you write your HTML tags with lowercase, this can be:

if ($emailLength  42) {
    $errorMessage .= "Email must be between 3 and 42 characters";
}

StackExchange Code Review Q#51421, answer score: 10