How can PHP developers ensure data security and prevent SQL injection when interacting with a database like MSSQL?
To ensure data security and prevent SQL injection when interacting with a database like MSSQL, PHP developers should use prepared statements with parameterized queries. This approach separates SQL logic from user input, preventing malicious SQL injection attacks.
// Establish a connection to the MSSQL database
$serverName = "serverName";
$connectionOptions = array(
"Database" => "dbName",
"Uid" => "username",
"PWD" => "password"
);
$conn = sqlsrv_connect($serverName, $connectionOptions);
// Prepare and execute a parameterized query
$tsql = "SELECT * FROM Table WHERE column = ?";
$params = array($userInput);
$stmt = sqlsrv_query($conn, $tsql, $params);
// Fetch results safely
while ($row = sqlsrv_fetch_array($stmt, SQLSRV_FETCH_ASSOC)) {
echo $row['columnName'] . "<br />";
}
// Close the connection
sqlsrv_free_stmt($stmt);
sqlsrv_close($conn);