How can SQL injection be prevented in PHP when interacting with a database?
SQL injection can be prevented in PHP by using prepared statements with parameterized queries. This approach separates the SQL query logic from the user input, making it impossible for malicious input to alter the query structure.
// Establish a database connection
$pdo = new PDO("mysql:host=localhost;dbname=mydatabase", "username", "password");
// Prepare a SQL statement with a placeholder for user input
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username");
// Bind the user input to the placeholder
$stmt->bindParam(':username', $_POST['username']);
// Execute the prepared statement
$stmt->execute();
// Fetch the results
$results = $stmt->fetchAll();