What are the best practices for handling user input when using wildcards in PHP database queries?

When using wildcards in PHP database queries, it is important to properly handle user input to prevent SQL injection attacks. One way to do this is by sanitizing and validating user input before using it in the query. This can be done by using prepared statements with parameterized queries, which automatically handle escaping and sanitizing user input. 

// Example of handling user input with wildcards in a PHP database query
$user_input = $_POST['search_term']; // Assuming user input is received via POST

// Sanitize and validate user input
$search_term = filter_var($user_input, FILTER_SANITIZE_STRING);

// Prepare the query with a wildcard
$stmt = $pdo->prepare("SELECT * FROM table_name WHERE column_name LIKE ?");
$stmt->execute(["%$search_term%"]);

// Fetch results
$results = $stmt->fetchAll();

Keywords

SQL injection prepared statements PDO mysqli_real_escape_string parameterized queries

Related Questions