How can SQL injection vulnerabilities be mitigated when building dynamic SQL queries in PHP?
SQL injection vulnerabilities can be mitigated by using prepared statements and parameterized queries in PHP. This approach separates the SQL query logic from the user input, preventing malicious input from being executed as SQL code.
// Create a PDO connection to the database
$pdo = new PDO('mysql:host=localhost;dbname=mydatabase', 'username', 'password');
// Prepare a SQL query with a placeholder for user input
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username");
// Bind the user input to the placeholder
$stmt->bindParam(':username', $_POST['username']);
// Execute the query
$stmt->execute();
// Fetch the results
$results = $stmt->fetchAll();