How can mysqli_real_escape_string be used to prevent SQL injection in PHP?

SQL injection is a common attack where malicious SQL statements are inserted into an entry field, allowing an attacker to manipulate the database. To prevent SQL injection in PHP, you can use the mysqli_real_escape_string function to escape special characters in a string before sending it to the database. This function ensures that any special characters in the input are properly escaped, preventing them from being interpreted as part of the SQL query.

// Establish a connection to the database
$mysqli = new mysqli(&quot;localhost&quot;, &quot;username&quot;, &quot;password&quot;, &quot;database&quot;);

// Check connection
if ($mysqli-&gt;connect_error) {
    die(&quot;Connection failed: &quot; . $mysqli-&gt;connect_error);
}

// Escape user input to prevent SQL injection
$username = mysqli_real_escape_string($mysqli, $_POST[&#039;username&#039;]);
$password = mysqli_real_escape_string($mysqli, $_POST[&#039;password&#039;]);

// Perform a SQL query using the escaped input
$query = &quot;SELECT * FROM users WHERE username=&#039;$username&#039; AND password=&#039;$password&#039;&quot;;
$result = $mysqli-&gt;query($query);

// Process the query result as needed

Keywords

mysqli_real_escape_string SQL injection PHP security prevention

How can mysqli_real_escape_string be used to prevent SQL injection in PHP?

Keywords

Related Questions