How can SQL Injections be prevented in PHP code when querying a database for user credentials?

SQL Injections can be prevented in PHP code when querying a database for user credentials by using prepared statements with parameterized queries. This method ensures that user input is treated as data rather than executable code, preventing malicious SQL injection attacks.

// Establish a database connection
$pdo = new PDO(&#039;mysql:host=localhost;dbname=mydatabase&#039;, &#039;username&#039;, &#039;password&#039;);

// Prepare a SQL statement with placeholders for user input
$stmt = $pdo-&gt;prepare(&#039;SELECT * FROM users WHERE username = :username AND password = :password&#039;);

// Bind the user input to the placeholders
$stmt-&gt;bindParam(&#039;:username&#039;, $_POST[&#039;username&#039;]);
$stmt-&gt;bindParam(&#039;:password&#039;, $_POST[&#039;password&#039;]);

// Execute the query
$stmt-&gt;execute();

// Fetch the result
$user = $stmt-&gt;fetch();

Keywords

SQL Injections PHP code database user credentials prevention

How can SQL Injections be prevented in PHP code when querying a database for user credentials?

Keywords

Related Questions