How can prepared statements and PDO be used to prevent SQL injection in PHP?

To prevent SQL injection in PHP, prepared statements and PDO can be used. Prepared statements separate SQL code from user input, preventing malicious SQL code from being executed. PDO (PHP Data Objects) is a database access layer that provides a flexible and secure way to interact with databases in PHP.

// Establish a connection to the database using PDO
$pdo = new PDO(&#039;mysql:host=localhost;dbname=mydatabase&#039;, &#039;username&#039;, &#039;password&#039;);

// Prepare a SQL statement with placeholders for user input
$stmt = $pdo-&gt;prepare(&#039;SELECT * FROM users WHERE username = :username&#039;);

// Bind the user input to the placeholders
$stmt-&gt;bindParam(&#039;:username&#039;, $_POST[&#039;username&#039;]);

// Execute the prepared statement
$stmt-&gt;execute();

// Fetch the results
$results = $stmt-&gt;fetchAll();

Keywords

Prepared statements PDO SQL injection PHP Security

How can prepared statements and PDO be used to prevent SQL injection in PHP?

Keywords

Related Questions