What are the potential pitfalls of updating database records in PHP without properly handling user input?
Updating database records in PHP without properly handling user input can lead to SQL injection attacks, where malicious users can manipulate the input to execute unauthorized SQL queries. To prevent this, it is important to sanitize and validate user input before using it in database queries. This can be done by using prepared statements or parameterized queries to securely pass user input to the database.
// Example of updating database records with sanitized user input using prepared statements
// Assuming $conn is the database connection
// Sanitize and validate user input
$user_id = filter_var($_POST['user_id'], FILTER_SANITIZE_NUMBER_INT);
$new_email = filter_var($_POST['new_email'], FILTER_SANITIZE_EMAIL);
// Prepare the update query
$stmt = $conn->prepare("UPDATE users SET email = ? WHERE id = ?");
$stmt->bind_param("si", $new_email, $user_id);
// Execute the query
$stmt->execute();
// Close the statement and connection
$stmt->close();
$conn->close();