How can PHP developers prevent SQL injection when concatenating strings in SQL queries?

To prevent SQL injection when concatenating strings in SQL queries in PHP, developers should use prepared statements with parameterized queries. This approach separates the SQL query logic from the data, preventing malicious SQL code from being injected into the query. 

// Establish a database connection
$pdo = new PDO("mysql:host=localhost;dbname=mydatabase", "username", "password");

// Prepare a SQL query with a parameterized query
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username");

// Bind the parameter value to the query
$stmt->bindParam(':username', $username, PDO::PARAM_STR);

// Execute the query
$stmt->execute();

// Fetch the results
$results = $stmt->fetchAll();

Keywords

PHP SQL injection concatenating strings prepared statements parameterized queries

Related Questions