How can SQL injection be prevented when updating user information in PHP?
SQL injection can be prevented when updating user information in PHP by using prepared statements with parameterized queries. This approach separates the SQL query logic from the user input, making it impossible for malicious input to interfere with the query execution.
// Establish a database connection
$pdo = new PDO('mysql:host=localhost;dbname=mydatabase', 'username', 'password');
// Prepare a SQL statement with placeholders
$stmt = $pdo->prepare("UPDATE users SET email = :email WHERE id = :id");
// Bind the parameters
$stmt->bindParam(':email', $newEmail);
$stmt->bindParam(':id', $userId);
// Execute the statement
$stmt->execute();
Related Questions
- In terms of scalability and maintenance, is it advisable to opt for a complete custom development approach or utilize existing solutions for a room booking system in PHP?
- What is the purpose of using SQLiteObjectStore in PHP and how does it work?
- How can SQL injection be prevented in PHP when handling user input from forms?