In what ways can the provided PHP script be enhanced for better functionality and security measures?
Issue: The provided PHP script is vulnerable to SQL injection attacks due to directly concatenating user input into the SQL query. To enhance functionality and security, we should use prepared statements with parameterized queries to prevent SQL injection attacks. Code snippet with prepared statements:
// Connect to database
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
// Prepare and bind SQL statement
$stmt = $conn->prepare("SELECT * FROM users WHERE username = ?");
$stmt->bind_param("s", $username);
// Set parameters and execute
$username = $_POST['username'];
$stmt->execute();
// Get result
$result = $stmt->get_result();
// Output data of each row
while ($row = $result->fetch_assoc()) {
echo "id: " . $row["id"] . " - Name: " . $row["username"] . "<br>";
}
// Close statement and connection
$stmt->close();
$conn->close();
Related Questions
- How can beginners effectively search for PHP functions and documentation to address specific coding tasks?
- How important is it to address underlying security vulnerabilities in a PHP application rather than relying on encryption to conceal them?
- How can one optimize the use of preg_replace and str_replace functions in PHP to efficiently handle string replacements?