What are common syntax errors to watch out for when using PHP for database queries?
One common syntax error to watch out for when using PHP for database queries is forgetting to properly escape variables before inserting them into the query. This can lead to SQL injection attacks. To solve this issue, always use prepared statements with parameterized queries to securely pass variables into the query.
// Incorrect way without using prepared statements
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysqli_query($connection, $query);
// Correct way using prepared statements
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM users WHERE username=? AND password=?";
$stmt = mysqli_prepare($connection, $query);
mysqli_stmt_bind_param($stmt, "ss", $username, $password);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);