What are some potential pitfalls of dynamically executing DB queries in PHP functions?

One potential pitfall of dynamically executing DB queries in PHP functions is the risk of SQL injection attacks if user input is not properly sanitized. To prevent this, always use prepared statements with parameterized queries to securely pass user input to the database.

// Example of using prepared statements to prevent SQL injection

// Assuming $conn is a valid database connection object

function getUserByEmail($email) {
    global $conn;
    
    $stmt = $conn-&gt;prepare(&quot;SELECT * FROM users WHERE email = ?&quot;);
    $stmt-&gt;bind_param(&quot;s&quot;, $email);
    $stmt-&gt;execute();
    
    $result = $stmt-&gt;get_result();
    $user = $result-&gt;fetch_assoc();
    
    return $user;
}

Keywords

SQL injection security vulnerability prepared statements PDO data validation

What are some potential pitfalls of dynamically executing DB queries in PHP functions?

Keywords

Related Questions