How can SQL injection be prevented in PHP code?
SQL injection can be prevented in PHP code by using prepared statements with parameterized queries. This approach separates SQL code from user input, preventing malicious SQL commands from being executed. By binding parameters to placeholders in the SQL query, the database engine can distinguish between code and data, effectively thwarting SQL injection attacks.
// Establish a connection to the database
$pdo = new PDO('mysql:host=localhost;dbname=my_database', 'username', 'password');
// Prepare a SQL query with placeholders
$stmt = $pdo->prepare('SELECT * FROM users WHERE username = :username');
// Bind parameters to placeholders
$stmt->bindParam(':username', $username);
// Execute the query
$stmt->execute();
// Fetch results
$results = $stmt->fetchAll();
Related Questions
- What are some best practices for using if conditions and includes in PHP to optimize code readability and efficiency?
- What are the best practices for fetching and storing data from a MySQL database into multidimensional arrays in PHP?
- In what ways can contacting the server provider or admin help in resolving PHP parsing issues on the server?