How can prepared statements in PHP prevent SQL injection?
Prepared statements in PHP can prevent SQL injection by separating SQL code from user input. This means that user input is treated as data rather than executable code, making it impossible for attackers to inject malicious SQL queries. Prepared statements also automatically handle escaping special characters, further protecting against SQL injection attacks.
// Using prepared statements to prevent SQL injection
// Establish a database connection
$pdo = new PDO('mysql:host=localhost;dbname=mydatabase', 'username', 'password');
// Prepare a SQL statement with a placeholder for user input
$stmt = $pdo->prepare('SELECT * FROM users WHERE username = :username');
// Bind the user input to the placeholder
$stmt->bindParam(':username', $_POST['username']);
// Execute the prepared statement
$stmt->execute();
// Fetch the results
$results = $stmt->fetchAll();
Related Questions
- What best practices should be followed when configuring Apache and PHP to ensure proper functionality and compatibility?
- How can regular expressions be used to validate user input in PHP?
- In what scenarios is it recommended to use $_GET instead of $_SESSION for passing variables between PHP scripts?