How can SQL injection vulnerabilities be prevented when inserting variables into SQL queries in PHP?
SQL injection vulnerabilities can be prevented by using prepared statements with parameterized queries in PHP. This approach separates the SQL query logic from the user input, preventing malicious SQL code from being executed.
// Example of preventing SQL injection with prepared statements in PHP
// Establish a database connection
$pdo = new PDO("mysql:host=localhost;dbname=mydatabase", "username", "password");
// Prepare a SQL statement with a parameterized query
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username");
// Bind the parameter value to the query
$stmt->bindParam(':username', $username);
// Execute the query
$stmt->execute();
// Fetch the results
$results = $stmt->fetchAll();