What are the potential issues with the PHP code provided for handling newsletter subscriptions?
The potential issue with the provided PHP code for handling newsletter subscriptions is that it is vulnerable to SQL injection attacks due to directly interpolating user input into the SQL query. To solve this issue, we should use prepared statements with parameterized queries to prevent SQL injection attacks.
// Original vulnerable code
$email = $_POST['email'];
$query = "INSERT INTO newsletter_subscriptions (email) VALUES ('$email')";
$result = mysqli_query($connection, $query);
// Fixed code using prepared statements
$email = $_POST['email'];
$query = "INSERT INTO newsletter_subscriptions (email) VALUES (?)";
$stmt = mysqli_prepare($connection, $query);
mysqli_stmt_bind_param($stmt, 's', $email);
mysqli_stmt_execute($stmt);
Related Questions
- How can PHP developers ensure that sensitive data, such as user information collected in contact forms, is securely stored and transmitted to external services?
- What are common issues when reading CSV files with UTF-8 characters in PHP?
- What are some troubleshooting steps to take if renaming folders in PHP is not working as expected?