How can PHP developers avoid SQL injection vulnerabilities when working with databases?

To avoid SQL injection vulnerabilities when working with databases in PHP, developers should use prepared statements with parameterized queries. This approach separates SQL code from user input, preventing malicious SQL code from being executed. 

// Establish a database connection
$pdo = new PDO('mysql:host=localhost;dbname=my_database', 'username', 'password');

// Prepare a SQL statement with a parameterized query
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username");

// Bind the parameter value
$stmt->bindParam(':username', $_POST['username']);

// Execute the statement
$stmt->execute();

// Fetch the results
$results = $stmt->fetchAll();

Keywords

SQL injection prepared statements parameterized queries PDO mysqli_prepare

Related Questions