How can one prevent SQL injection when handling user input in PHP forms, such as in the provided code snippet?

To prevent SQL injection when handling user input in PHP forms, one should use prepared statements with parameterized queries instead of directly inserting user input into SQL queries. This helps to separate the SQL logic from the user input data, making it more secure and preventing malicious SQL injection attacks.

// Connect to database
$servername = &quot;localhost&quot;;
$username = &quot;username&quot;;
$password = &quot;password&quot;;
$dbname = &quot;myDB&quot;;

$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn-&gt;connect_error) {
    die(&quot;Connection failed: &quot; . $conn-&gt;connect_error);
}

// Prepare a SQL statement with a parameterized query
$stmt = $conn-&gt;prepare(&quot;INSERT INTO users (username, password) VALUES (?, ?)&quot;);
$stmt-&gt;bind_param(&quot;ss&quot;, $username, $password);

// Set parameters and execute
$username = $_POST[&#039;username&#039;];
$password = $_POST[&#039;password&#039;];
$stmt-&gt;execute();

// Close statement and connection
$stmt-&gt;close();
$conn-&gt;close();

Keywords

SQL injection user input PHP forms prepared statements security

How can one prevent SQL injection when handling user input in PHP forms, such as in the provided code snippet?

Keywords

Related Questions