How can SQL injection vulnerabilities be addressed in PHP code that interacts with a MySQL database?

SQL injection vulnerabilities can be addressed in PHP code that interacts with a MySQL database by using prepared statements with parameterized queries. This method allows the database to distinguish between code and data, preventing malicious SQL commands from being executed. By binding parameters to placeholders in the query, the input data is treated as data rather than executable code.

// Establish a connection to the MySQL database
$mysqli = new mysqli(&quot;localhost&quot;, &quot;username&quot;, &quot;password&quot;, &quot;database&quot;);

// Prepare a SQL statement with placeholders for parameters
$stmt = $mysqli-&gt;prepare(&quot;SELECT * FROM users WHERE username = ? AND password = ?&quot;);

// Bind parameters to the placeholders
$stmt-&gt;bind_param(&quot;ss&quot;, $username, $password);

// Set the parameter values
$username = $_POST[&#039;username&#039;];
$password = $_POST[&#039;password&#039;];

// Execute the prepared statement
$stmt-&gt;execute();

// Fetch the results
$result = $stmt-&gt;get_result();

// Process the results as needed
while ($row = $result-&gt;fetch_assoc()) {
    // Do something with the data
}

// Close the statement and the database connection
$stmt-&gt;close();
$mysqli-&gt;close();

Keywords

SQL injection PHP code MySQL database security measures prepared statements

How can SQL injection vulnerabilities be addressed in PHP code that interacts with a MySQL database?

Keywords

Related Questions