What are the potential pitfalls of using the mysql_query() function in PHP for database operations?

Using the mysql_query() function in PHP for database operations can lead to SQL injection vulnerabilities as it does not provide proper escaping of user input. To prevent this, you should use parameterized queries with prepared statements or use mysqli or PDO extensions for database operations.

// Using mysqli prepared statements to prevent SQL injection
$mysqli = new mysqli(&quot;localhost&quot;, &quot;username&quot;, &quot;password&quot;, &quot;database&quot;);

// Check connection
if ($mysqli-&gt;connect_error) {
    die(&quot;Connection failed: &quot; . $mysqli-&gt;connect_error);
}

// Prepare a statement
$stmt = $mysqli-&gt;prepare(&quot;SELECT * FROM users WHERE username = ?&quot;);
$stmt-&gt;bind_param(&quot;s&quot;, $username);

// Set parameters and execute
$username = &quot;john_doe&quot;;
$stmt-&gt;execute();

// Fetch result
$result = $stmt-&gt;get_result();
while ($row = $result-&gt;fetch_assoc()) {
    // Do something with the data
}

// Close statement and connection
$stmt-&gt;close();
$mysqli-&gt;close();

What are the potential pitfalls of using the mysql_query() function in PHP for database operations?

Related Questions