How can the PHP script be improved to prevent SQL injection vulnerabilities?
To prevent SQL injection vulnerabilities in PHP, it is important to use prepared statements with parameterized queries instead of directly inserting user input into SQL queries. This helps to separate the SQL query logic from the user input, making it harder for attackers to inject malicious SQL code.
// Connect to the database
$pdo = new PDO('mysql:host=localhost;dbname=mydatabase', 'username', 'password');
// Prepare a SQL statement with a parameterized query
$stmt = $pdo->prepare('SELECT * FROM users WHERE username = :username AND password = :password');
// Bind the parameters
$stmt->bindParam(':username', $username);
$stmt->bindParam(':password', $password);
// Execute the statement
$stmt->execute();
// Fetch the result
$result = $stmt->fetch();