How can SQL injection vulnerabilities be avoided in PHP code?

SQL injection vulnerabilities can be avoided in PHP code by using prepared statements with parameterized queries. This approach separates the SQL query logic from the user input, preventing malicious SQL code from being injected into the query.

// Establish a database connection
$pdo = new PDO(&#039;mysql:host=localhost;dbname=mydatabase&#039;, &#039;username&#039;, &#039;password&#039;);

// Prepare a SQL statement with a parameterized query
$stmt = $pdo-&gt;prepare(&#039;SELECT * FROM users WHERE username = :username&#039;);

// Bind the user input to the parameter
$stmt-&gt;bindParam(&#039;:username&#039;, $_POST[&#039;username&#039;]);

// Execute the query
$stmt-&gt;execute();

// Fetch the results
$results = $stmt-&gt;fetchAll();

// Process the results as needed
foreach ($results as $row) {
    // Do something with the data
}

Keywords

SQL injection PHP code prepared statements parameterized queries input validation

How can SQL injection vulnerabilities be avoided in PHP code?

Keywords

Related Questions