What are best practices for handling form data and database interactions in PHP scripts?

When handling form data and interacting with a database in PHP scripts, it is important to sanitize user input to prevent SQL injection attacks and validate the data to ensure it meets the required format. It is also recommended to use prepared statements when executing SQL queries to further protect against attacks. 

// Sanitize user input
$username = filter_var($_POST['username'], FILTER_SANITIZE_STRING);
$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);

// Validate data
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
    echo "Invalid email format";
    exit;
}

// Connect to database
$pdo = new PDO('mysql:host=localhost;dbname=database', 'username', 'password');

// Prepare and execute SQL query using prepared statements
$stmt = $pdo->prepare("INSERT INTO users (username, email) VALUES (:username, :email)");
$stmt->bindParam(':username', $username);
$stmt->bindParam(':email', $email);
$stmt->execute();

echo "Data inserted successfully";

Keywords

SQL injection PDO prepared statements form validation data sanitization

Related Questions