What are the best practices for sanitizing and validating user input before executing SQL queries in PHP?

When executing SQL queries in PHP, it is crucial to sanitize and validate user input to prevent SQL injection attacks. One way to do this is by using prepared statements with parameterized queries, which automatically handle escaping and sanitizing input. Additionally, input validation can be done using PHP functions like filter_var() or regular expressions to ensure that only expected data types and formats are accepted. 

// Sanitizing and validating user input before executing SQL queries in PHP

// Assuming $conn is the database connection object

// Sanitize user input
$userInput = filter_var($_POST['user_input'], FILTER_SANITIZE_STRING);

// Validate user input
if (preg_match("/^[a-zA-Z0-9]+$/", $userInput)) {
    // Prepare SQL statement with parameterized query
    $stmt = $conn->prepare("SELECT * FROM users WHERE username = ?");
    $stmt->bind_param("s", $userInput);
    $stmt->execute();

    // Process the results
    $result = $stmt->get_result();
    while ($row = $result->fetch_assoc()) {
        // Handle the data
    }

    $stmt->close();
} else {
    // Handle invalid input
}

Keywords

SQL injection prepared statements PDO filter_input validation

Related Questions