What are the potential pitfalls of using wildcards in SQL queries when filtering data in PHP?

Using wildcards in SQL queries when filtering data in PHP can potentially lead to SQL injection attacks if the input is not properly sanitized. To prevent this, it's important to use prepared statements with parameterized queries to ensure that user input is treated as data rather than executable SQL code.

// Using prepared statements to prevent SQL injection when using wildcards in SQL queries

// Establish a database connection
$pdo = new PDO(&quot;mysql:host=localhost;dbname=mydatabase&quot;, &quot;username&quot;, &quot;password&quot;);

// User input
$searchTerm = $_GET[&#039;search&#039;];

// Prepare a SQL statement with a wildcard
$stmt = $pdo-&gt;prepare(&quot;SELECT * FROM mytable WHERE column LIKE :searchTerm&quot;);

// Bind the wildcard parameter
$stmt-&gt;bindParam(&#039;:searchTerm&#039;, $searchTerm, PDO::PARAM_STR);

// Execute the query
$stmt-&gt;execute();

// Fetch the results
$results = $stmt-&gt;fetchAll(PDO::FETCH_ASSOC);

// Output the results
foreach ($results as $row) {
    echo $row[&#039;column&#039;] . &quot;&lt;br&gt;&quot;;
}

Keywords

wildcards SQL queries filtering data PHP pitfalls

What are the potential pitfalls of using wildcards in SQL queries when filtering data in PHP?

Keywords

Related Questions