In what situations is it recommended to use prepared statements or functions like mysql_real_escape_string to prevent SQL injection when dealing with user input in PHP?

To prevent SQL injection when dealing with user input in PHP, it is recommended to use prepared statements or functions like mysql_real_escape_string. Prepared statements allow the database to distinguish between code and data, preventing malicious SQL injection attacks. mysql_real_escape_string escapes special characters in a string to make it safe for use in a SQL statement. 

// Using prepared statements to prevent SQL injection
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username");
$stmt->bindParam(':username', $_POST['username']);
$stmt->execute();

// Using mysql_real_escape_string to prevent SQL injection
$username = mysql_real_escape_string($_POST['username']);
$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysql_query($query);

Keywords

prepared statements mysql_real_escape_string SQL injection user input PHP

Related Questions