What are the best practices for implementing prepared statements in PHP?

Using prepared statements in PHP helps prevent SQL injection attacks by separating SQL logic from user input. To implement prepared statements in PHP, you can use PDO (PHP Data Objects) or MySQLi extensions. Prepared statements allow you to bind parameters to placeholders in the SQL query, ensuring that user input is treated as data rather than executable code. 

// Using PDO
$dsn = 'mysql:host=localhost;dbname=mydatabase';
$username = 'username';
$password = 'password';

try {
    $pdo = new PDO($dsn, $username, $password);
    $stmt = $pdo->prepare('SELECT * FROM users WHERE username = :username');
    $stmt->bindParam(':username', $username);
    $stmt->execute();
    $result = $stmt->fetchAll();
} catch (PDOException $e) {
    echo 'Error: ' . $e->getMessage();
}

// Using MySQLi
$mysqli = new mysqli('localhost', 'username', 'password', 'mydatabase');
$stmt = $mysqli->prepare('SELECT * FROM users WHERE username = ?');
$stmt->bind_param('s', $username);
$stmt->execute();
$result = $stmt->get_result()->fetch_all(MYSQLI_ASSOC);
$stmt->close();
$mysqli->close();

Keywords

Prepared statements PHP SQL injection PDO mysqli

Related Questions