How can SQL injection be prevented in PHP when handling user input from forms?

SQL injection can be prevented in PHP when handling user input from forms by using prepared statements with parameterized queries. This method separates the SQL query from the user input, preventing malicious SQL code from being executed. By using prepared statements, the input is treated as data rather than executable code, making it secure against SQL injection attacks.

// Establish a connection to the database
$pdo = new PDO(&#039;mysql:host=localhost;dbname=your_database&#039;, &#039;username&#039;, &#039;password&#039;);

// Prepare a SQL statement with a placeholder for user input
$stmt = $pdo-&gt;prepare(&#039;SELECT * FROM users WHERE username = :username&#039;);

// Bind the user input to the placeholder
$stmt-&gt;bindParam(&#039;:username&#039;, $_POST[&#039;username&#039;]);

// Execute the query
$stmt-&gt;execute();

// Fetch the results
$results = $stmt-&gt;fetchAll();

Keywords

SQL injection PHP user input forms security

How can SQL injection be prevented in PHP when handling user input from forms?

Keywords

Related Questions