How can PHP developers prevent SQL injection vulnerabilities when querying databases?

To prevent SQL injection vulnerabilities when querying databases in PHP, developers should use parameterized queries with prepared statements. This approach ensures that user input is treated as data rather than executable SQL code, effectively preventing malicious SQL injection attacks. 

// Establish a database connection
$pdo = new PDO('mysql:host=localhost;dbname=mydatabase', 'username', 'password');

// Prepare a SQL statement with a parameterized query
$stmt = $pdo->prepare('SELECT * FROM users WHERE username = :username');

// Bind the user input to the parameter
$username = $_POST['username'];
$stmt->bindParam(':username', $username);

// Execute the prepared statement
$stmt->execute();

// Fetch the results
$results = $stmt->fetchAll(PDO::FETCH_ASSOC);

Keywords

SQL injection PHP prepared statements parameterized queries database security

Related Questions