What are some common security risks associated with passing user input directly into MySQL queries in PHP?

Passing user input directly into MySQL queries in PHP can lead to SQL injection attacks, where malicious users can manipulate the query to access, modify, or delete data in the database. To prevent this, you should always use parameterized queries or prepared statements to sanitize and validate user input before executing the query. 

// Using prepared statements to prevent SQL injection
$mysqli = new mysqli("localhost", "username", "password", "database");

// Check connection
if ($mysqli->connect_error) {
    die("Connection failed: " . $mysqli->connect_error);
}

// Prepare a SQL statement
$stmt = $mysqli->prepare("SELECT * FROM users WHERE username = ?");
$stmt->bind_param("s", $username);

// Set parameters and execute
$username = $_POST['username'];
$stmt->execute();

// Get the result
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // Process the result
}

// Close the statement and connection
$stmt->close();
$mysqli->close();

Keywords

SQL injection user input validation prepared statements mysqli_real_escape_string security vulnerabilities

Related Questions