How can SQL injection be prevented in PHP code?
SQL injection can be prevented in PHP code by using prepared statements with parameterized queries. This approach separates SQL code from user input, preventing malicious SQL commands from being executed. By binding parameters to placeholders in the SQL query, the database engine can distinguish between code and data, effectively thwarting SQL injection attacks.
// Establish a connection to the database
$pdo = new PDO('mysql:host=localhost;dbname=my_database', 'username', 'password');
// Prepare a SQL query with placeholders
$stmt = $pdo->prepare('SELECT * FROM users WHERE username = :username');
// Bind parameters to placeholders
$stmt->bindParam(':username', $username);
// Execute the query
$stmt->execute();
// Fetch results
$results = $stmt->fetchAll();
Related Questions
- What are some common challenges when working with PEAR packages in PHP?
- How can PHP developers leverage JavaScript and AJAX techniques to enhance user interactions and improve the overall user experience in web applications?
- What are the potential pitfalls of using array_combine in PHP when working with multiple arrays?