How can PHP prevent SQL injection when handling form data?

SQL injection can be prevented in PHP by using prepared statements with parameterized queries. This method separates the SQL query logic from the user input, preventing malicious SQL code from being executed. By binding parameters to the query, the database treats them as data rather than executable code.

// Establish a database connection
$pdo = new PDO(&#039;mysql:host=localhost;dbname=mydatabase&#039;, &#039;username&#039;, &#039;password&#039;);

// Prepare a SQL statement with a parameterized query
$stmt = $pdo-&gt;prepare(&#039;SELECT * FROM users WHERE username = :username&#039;);

// Bind the user input to the parameter
$stmt-&gt;bindParam(&#039;:username&#039;, $_POST[&#039;username&#039;]);

// Execute the query
$stmt-&gt;execute();

// Fetch the results
$results = $stmt-&gt;fetchAll();

Keywords

PHP SQL injection prepared statements PDO mysqli

How can PHP prevent SQL injection when handling form data?

Keywords

Related Questions