What are common pitfalls when writing SQL queries in PHP?

One common pitfall when writing SQL queries in PHP is not properly sanitizing user input, which can leave your application vulnerable to SQL injection attacks. To solve this issue, always use prepared statements with parameterized queries to securely pass user input to the database.

// Example of using prepared statements to prevent SQL injection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn-&gt;connect_error) {
    die(&quot;Connection failed: &quot; . $conn-&gt;connect_error);
}

// Prepare a SQL query using a parameterized statement
$stmt = $conn-&gt;prepare(&quot;SELECT * FROM users WHERE username = ?&quot;);
$stmt-&gt;bind_param(&quot;s&quot;, $username);

// Set parameters and execute the query
$username = $_POST[&#039;username&#039;];
$stmt-&gt;execute();

// Process the results
$result = $stmt-&gt;get_result();
while ($row = $result-&gt;fetch_assoc()) {
    // Process each row
}

// Close the statement and connection
$stmt-&gt;close();
$conn-&gt;close();

Keywords

SQL injection PDO prepared statements error handling database connection

What are common pitfalls when writing SQL queries in PHP?

Keywords

Related Questions