How can PHP developers prevent SQL injection attacks when retrieving data from databases using user input?

To prevent SQL injection attacks when retrieving data from databases using user input, PHP developers can use prepared statements with parameterized queries. This method ensures that user input is treated as data and not as SQL code, thus preventing malicious SQL injection attacks.

// Establish a database connection
$pdo = new PDO(&quot;mysql:host=localhost;dbname=mydatabase&quot;, &quot;username&quot;, &quot;password&quot;);

// Prepare a SQL statement with a parameterized query
$stmt = $pdo-&gt;prepare(&quot;SELECT * FROM users WHERE username = :username&quot;);

// Bind the user input to the parameter
$stmt-&gt;bindParam(&#039;:username&#039;, $_POST[&#039;username&#039;]);

// Execute the query
$stmt-&gt;execute();

// Fetch the results
$results = $stmt-&gt;fetchAll(PDO::FETCH_ASSOC);

// Use the retrieved data as needed
foreach($results as $row) {
    echo $row[&#039;username&#039;] . &quot;&lt;br&gt;&quot;;
}

Keywords

Prepared Statements PDO mysqli_real_escape_string SQL Injection Data Sanitization

How can PHP developers prevent SQL injection attacks when retrieving data from databases using user input?

Keywords

Related Questions