What are the best practices for handling SQL queries with strings and numbers in PHP?

When handling SQL queries with strings and numbers in PHP, it is important to properly sanitize and escape user input to prevent SQL injection attacks. One way to do this is by using prepared statements with parameterized queries. This helps separate the SQL query logic from the user input, ensuring that the input is treated as data rather than executable code.

// Example of using prepared statements to handle SQL queries with strings and numbers in PHP

// Establish a database connection
$pdo = new PDO(&quot;mysql:host=localhost;dbname=mydatabase&quot;, &quot;username&quot;, &quot;password&quot;);

// Prepare a SQL query with a parameterized query
$stmt = $pdo-&gt;prepare(&quot;SELECT * FROM users WHERE username = :username AND age = :age&quot;);

// Bind parameters to the prepared statement
$stmt-&gt;bindParam(&#039;:username&#039;, $username, PDO::PARAM_STR);
$stmt-&gt;bindParam(&#039;:age&#039;, $age, PDO::PARAM_INT);

// Set the parameters
$username = &quot;john_doe&quot;;
$age = 30;

// Execute the prepared statement
$stmt-&gt;execute();

// Fetch the results
$results = $stmt-&gt;fetchAll(PDO::FETCH_ASSOC);

// Loop through the results
foreach ($results as $row) {
    // Process each row as needed
    echo $row[&#039;username&#039;] . &quot; is &quot; . $row[&#039;age&#039;] . &quot; years old.&lt;br&gt;&quot;;
}

Keywords

SQL queries strings numbers PHP data handling

What are the best practices for handling SQL queries with strings and numbers in PHP?

Keywords

Related Questions