How can SQL Injection vulnerabilities be prevented in PHP code when querying a database?

SQL Injection vulnerabilities can be prevented in PHP code by using prepared statements with parameterized queries. This approach separates the SQL query logic from the user input, making it impossible for malicious input to alter the query structure. By binding user input to parameters in the query, the database engine can distinguish between code and data, effectively preventing SQL Injection attacks.

// Establish a database connection
$pdo = new PDO(&quot;mysql:host=localhost;dbname=mydatabase&quot;, &quot;username&quot;, &quot;password&quot;);

// Prepare a SQL statement with a parameterized query
$stmt = $pdo-&gt;prepare(&quot;SELECT * FROM users WHERE username = :username&quot;);

// Bind user input to the parameter
$username = $_POST[&#039;username&#039;];
$stmt-&gt;bindParam(&#039;:username&#039;, $username);

// Execute the prepared statement
$stmt-&gt;execute();

// Fetch the results
$results = $stmt-&gt;fetchAll(PDO::FETCH_ASSOC);

Keywords

SQL Injection PHP code database querying prepared statements parameterized queries

How can SQL Injection vulnerabilities be prevented in PHP code when querying a database?

Keywords

Related Questions