What are some common pitfalls when using PHP to interact with databases, as seen in the provided code snippet?

One common pitfall when using PHP to interact with databases is not properly sanitizing user input, which can lead to SQL injection attacks. To prevent this, it's important to use prepared statements or parameterized queries to securely pass user input to the database.

// Original code with SQL injection vulnerability
$username = $_POST[&#039;username&#039;];
$password = $_POST[&#039;password&#039;];

$query = &quot;SELECT * FROM users WHERE username=&#039;$username&#039; AND password=&#039;$password&#039;&quot;;
$result = mysqli_query($connection, $query);

// Fixed code using prepared statements
$username = $_POST[&#039;username&#039;];
$password = $_POST[&#039;password&#039;];

$query = &quot;SELECT * FROM users WHERE username=? AND password=?&quot;;
$stmt = mysqli_prepare($connection, $query);
mysqli_stmt_bind_param($stmt, &#039;ss&#039;, $username, $password);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);

Keywords

SQL injection PDO prepared statements error handling database connection

What are some common pitfalls when using PHP to interact with databases, as seen in the provided code snippet?

Keywords

Related Questions