- Your redirecting to another webpage before the SQL is executed.
- You don't have a semicolon at the end of the line.
- You don't have a
<form>
around the<input>
tags. - You shouldn't have to do very much else to stop SQL injection. As long as your using MySQLi properly, your fine.
Change this
$statement->bind_param('sss', $name, $email, $content);
header('Location: /index.php');
$statement->execute()
to this
$statement->bind_param('sss', $name, $email, $content);
$statement->execute();
$statement->close();
header('Location: /index.php');