How can you prevent SQL injection when retrieving data from a database in PHP?

SQL injection can be prevented in PHP by using prepared statements and parameterized queries. This involves using placeholders in the SQL query and binding variables to those placeholders before execution. This ensures that user input is treated as data and not as part of the SQL query, thus preventing malicious SQL injection attacks.

// Establish a connection to the database
$pdo = new PDO(&#039;mysql:host=localhost;dbname=database&#039;, &#039;username&#039;, &#039;password&#039;);

// Prepare a SQL query with a placeholder
$stmt = $pdo-&gt;prepare(&#039;SELECT * FROM users WHERE username = :username&#039;);

// Bind the user input to the placeholder
$stmt-&gt;bindParam(&#039;:username&#039;, $_POST[&#039;username&#039;]);

// Execute the query
$stmt-&gt;execute();

// Fetch the results
$results = $stmt-&gt;fetchAll(PDO::FETCH_ASSOC);

// Use the results as needed
foreach ($results as $row) {
    echo $row[&#039;username&#039;] . &#039;&lt;br&gt;&#039;;
}

Keywords

SQL injection database security prepared statements parameterized queries mysqli_real_escape_string

How can you prevent SQL injection when retrieving data from a database in PHP?

Keywords

Related Questions