What are the potential pitfalls of directly using user input in a MySQL query in PHP?

Using user input directly in a MySQL query in PHP can lead to SQL injection attacks, where malicious users can manipulate the query to access, modify, or delete data. To prevent this, you should always sanitize and validate user input before using it in a query. One way to do this is by using prepared statements with parameterized queries, which separate the SQL code from the user input.

// Sanitize and validate user input
$user_input = $_POST[&#039;user_input&#039;];
$user_input = filter_var($user_input, FILTER_SANITIZE_STRING);

// Prepare and execute a parameterized query
$stmt = $pdo-&gt;prepare(&quot;SELECT * FROM table WHERE column = :user_input&quot;);
$stmt-&gt;bindParam(&#039;:user_input&#039;, $user_input);
$stmt-&gt;execute();

// Fetch results
$results = $stmt-&gt;fetchAll();

Keywords

SQL injection user input validation prepared statements mysqli_real_escape_string security vulnerability

What are the potential pitfalls of directly using user input in a MySQL query in PHP?

Keywords

Related Questions