What are some common mistakes to avoid when writing SQL queries in PHP code to retrieve data from a database?

One common mistake to avoid when writing SQL queries in PHP code is using concatenation to insert variables directly into the query string. This can leave your code vulnerable to SQL injection attacks. Instead, you should use prepared statements with parameterized queries to safely retrieve data from a database. 

// Incorrect way using concatenation
$username = $_POST['username'];
$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysqli_query($connection, $query);

// Correct way using prepared statements
$username = $_POST['username'];
$query = "SELECT * FROM users WHERE username = ?";
$stmt = mysqli_prepare($connection, $query);
mysqli_stmt_bind_param($stmt, "s", $username);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);

Keywords

SQL injection prepared statements PDO mysqli error handling

Related Questions