What are some potential design flaws in the PHP code provided for updating database records?

One potential design flaw in the provided PHP code for updating database records is the lack of prepared statements, which leaves the code vulnerable to SQL injection attacks. To solve this issue, you should use prepared statements to safely pass user input to the database.

// Original code without prepared statements
$id = $_POST[&#039;id&#039;];
$name = $_POST[&#039;name&#039;];
$age = $_POST[&#039;age&#039;];

$query = &quot;UPDATE users SET name=&#039;$name&#039;, age=&#039;$age&#039; WHERE id=&#039;$id&#039;&quot;;
mysqli_query($conn, $query);

// Updated code with prepared statements
$id = $_POST[&#039;id&#039;];
$name = $_POST[&#039;name&#039;];
$age = $_POST[&#039;age&#039;];

$stmt = $conn-&gt;prepare(&quot;UPDATE users SET name=?, age=? WHERE id=?&quot;);
$stmt-&gt;bind_param(&quot;ssi&quot;, $name, $age, $id);
$stmt-&gt;execute();

Keywords

SQL injection data validation prepared statements error handling database transactions

What are some potential design flaws in the PHP code provided for updating database records?

Keywords

Related Questions