How can injection vulnerabilities be avoided when constructing dynamic SQL queries in PHP?
Injection vulnerabilities can be avoided by using prepared statements with parameterized queries in PHP. This approach separates the SQL query logic from the user input, preventing malicious input from being executed as SQL code.
// Establish a database connection
$pdo = new PDO("mysql:host=localhost;dbname=mydatabase", "username", "password");
// Prepare a SQL statement with a parameterized query
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username");
// Bind the user input to the parameter
$stmt->bindParam(':username', $_POST['username']);
// Execute the query
$stmt->execute();
// Fetch the results
$results = $stmt->fetchAll();