What are the potential pitfalls of directly outputting the result of a MySQL query in PHP without proper handling?

Directly outputting the result of a MySQL query in PHP without proper handling can lead to security vulnerabilities such as SQL injection attacks. To prevent this, you should always sanitize and escape user input before using it in a query. Additionally, you should handle errors that may occur during the query execution to provide a better user experience.

// Example of properly handling a MySQL query in PHP
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn-&gt;connect_error) {
    die(&quot;Connection failed: &quot; . $conn-&gt;connect_error);
}

$sql = &quot;SELECT * FROM users WHERE id = ?&quot;;
$stmt = $conn-&gt;prepare($sql);
$stmt-&gt;bind_param(&quot;i&quot;, $id);

$id = 1;
$stmt-&gt;execute();
$result = $stmt-&gt;get_result();

if ($result-&gt;num_rows &gt; 0) {
    while($row = $result-&gt;fetch_assoc()) {
        echo &quot;id: &quot; . $row[&quot;id&quot;]. &quot; - Name: &quot; . $row[&quot;name&quot;]. &quot;&lt;br&gt;&quot;;
    }
} else {
    echo &quot;0 results&quot;;
}

$stmt-&gt;close();
$conn-&gt;close();

Keywords

MySQL PHP SQL injection data validation error handling

What are the potential pitfalls of directly outputting the result of a MySQL query in PHP without proper handling?

Keywords

Related Questions