How can input validation and sanitization be implemented in PHP to prevent SQL Injection attacks?

To prevent SQL Injection attacks in PHP, input validation and sanitization can be implemented by using prepared statements with parameterized queries. This involves separating the SQL query from the user input, which helps to prevent malicious SQL code from being executed. Additionally, input validation can be done by checking the type and format of user input before passing it to the database query.

// Example of implementing input validation and sanitization in PHP to prevent SQL Injection attacks

// Establish a database connection
$pdo = new PDO(&quot;mysql:host=localhost;dbname=mydatabase&quot;, &quot;username&quot;, &quot;password&quot;);

// User input
$userInput = $_POST[&#039;user_input&#039;];

// Prepare a SQL statement with a parameterized query
$stmt = $pdo-&gt;prepare(&quot;SELECT * FROM users WHERE username = :username&quot;);

// Bind the user input to the parameter
$stmt-&gt;bindParam(&#039;:username&#039;, $userInput, PDO::PARAM_STR);

// Execute the query
$stmt-&gt;execute();

// Fetch the results
$results = $stmt-&gt;fetchAll(PDO::FETCH_ASSOC);

// Loop through the results
foreach ($results as $row) {
    // Output the data
    echo $row[&#039;username&#039;] . &quot;&lt;br&gt;&quot;;
}

Keywords

input validation sanitization PHP SQL Injection security

How can input validation and sanitization be implemented in PHP to prevent SQL Injection attacks?

Keywords

Related Questions