How can SQL injection vulnerabilities be addressed in the provided PHP script?

SQL injection vulnerabilities can be addressed in the provided PHP script by using prepared statements with parameterized queries. This approach helps prevent malicious SQL injection attacks by separating SQL code from user input data. 

// Original vulnerable code
$username = $_POST['username'];
$password = $_POST['password'];

$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysqli_query($conn, $query);

// Fixed code using prepared statements
$username = $_POST['username'];
$password = $_POST['password'];

$query = "SELECT * FROM users WHERE username=? AND password=?";
$stmt = $conn->prepare($query);
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
$result = $stmt->get_result();

Related Questions