What are the potential issues with the PHP code provided for handling newsletter subscriptions?
The potential issue with the provided PHP code for handling newsletter subscriptions is that it is vulnerable to SQL injection attacks due to directly interpolating user input into the SQL query. To solve this issue, we should use prepared statements with parameterized queries to prevent SQL injection attacks.
// Original vulnerable code
$email = $_POST['email'];
$query = "INSERT INTO newsletter_subscriptions (email) VALUES ('$email')";
$result = mysqli_query($connection, $query);
// Fixed code using prepared statements
$email = $_POST['email'];
$query = "INSERT INTO newsletter_subscriptions (email) VALUES (?)";
$stmt = mysqli_prepare($connection, $query);
mysqli_stmt_bind_param($stmt, 's', $email);
mysqli_stmt_execute($stmt);
Related Questions
- How can PHP variables be passed through the browser to retrieve specific month and year values for date calculations?
- What are common security vulnerabilities in PHP code that can lead to PHP injection attacks?
- What are some potential pitfalls when using arrays in PHP for comparing and updating database entries?