How can prepared statements or data escaping be used to prevent SQL injections in PHP scripts?
To prevent SQL injections in PHP scripts, prepared statements or data escaping can be used. Prepared statements separate the SQL query from the user input, preventing malicious code from being executed. Data escaping involves escaping special characters in user input before including them in the SQL query.
// Using prepared statements to prevent SQL injections
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username AND password = :password");
$stmt->bindParam(':username', $username);
$stmt->bindParam(':password', $password);
$stmt->execute();
// Using data escaping to prevent SQL injections
$username = mysqli_real_escape_string($conn, $username);
$password = mysqli_real_escape_string($conn, $password);
$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
$result = mysqli_query($conn, $sql);