How can PHP be used to sanitize and escape user input before inserting it into a database?
When inserting user input into a database, it is important to sanitize and escape the input to prevent SQL injection attacks. PHP provides functions like `mysqli_real_escape_string()` and `htmlspecialchars()` to sanitize and escape user input before inserting it into the database. These functions help to prevent malicious code from being executed when the input is used in SQL queries or displayed on a webpage.
// Connect to the database
$mysqli = new mysqli("localhost", "username", "password", "database");
// Sanitize and escape user input
$name = mysqli_real_escape_string($mysqli, $_POST['name']);
$email = mysqli_real_escape_string($mysqli, $_POST['email']);
$message = htmlspecialchars($_POST['message']);
// Insert the sanitized input into the database
$query = "INSERT INTO users (name, email, message) VALUES ('$name', '$email', '$message')";
$mysqli->query($query);
Keywords
Related Questions
- How can PHP files be protected from direct access using constants?
- How can PHP developers handle the conversion of time durations to seconds for more efficient storage and manipulation in databases?
- Are there any similarities between using the & symbol in PHP function parameters and the global keyword?