What are best practices for preventing SQL injection when handling user input in PHP?
SQL injection can be prevented in PHP by using prepared statements with parameterized queries instead of directly inserting user input into SQL queries. This helps to separate the SQL logic from the user input, preventing malicious SQL code from being executed.
// Establish a database connection
$pdo = new PDO('mysql:host=localhost;dbname=mydatabase', 'username', 'password');
// Prepare a SQL statement with a parameterized query
$stmt = $pdo->prepare('SELECT * FROM users WHERE username = :username');
// Bind the user input to the parameter
$stmt->bindParam(':username', $_POST['username']);
// Execute the statement
$stmt->execute();
// Fetch the results
$results = $stmt->fetchAll();
Related Questions
- How can PHP developers ensure data consistency when working with multiple tables in a database?
- Are there specific syntax rules or conventions that developers should follow when writing PHP code for database operations?
- What are common pitfalls when using while loops in PHP to retrieve and display data from a database?