How can prepared statements be utilized to prevent SQL injection in PHP when inserting data into a database?

SQL injection can be prevented in PHP by using prepared statements. Prepared statements separate the SQL query from the user input, preventing malicious SQL code from being injected into the query. This is achieved by binding parameters to the query before execution.

// Establish a database connection
$pdo = new PDO(&#039;mysql:host=localhost;dbname=mydatabase&#039;, &#039;username&#039;, &#039;password&#039;);

// Prepare a SQL statement with a placeholder for the user input
$stmt = $pdo-&gt;prepare(&quot;INSERT INTO users (username, password) VALUES (:username, :password)&quot;);

// Bind the parameters to the placeholders
$stmt-&gt;bindParam(&#039;:username&#039;, $username);
$stmt-&gt;bindParam(&#039;:password&#039;, $password);

// Set the values of the parameters
$username = $_POST[&#039;username&#039;];
$password = $_POST[&#039;password&#039;];

// Execute the prepared statement
$stmt-&gt;execute();

Keywords

Prepared statements SQL injection PHP database security

How can prepared statements be utilized to prevent SQL injection in PHP when inserting data into a database?

Keywords

Related Questions