What are the potential security risks of directly passing parameters via URL and inserting them into a MySQL database in PHP?
Passing parameters directly via URL and inserting them into a MySQL database in PHP can lead to SQL injection attacks, where malicious code is injected into the database query. To mitigate this risk, it is important to sanitize and validate user input before inserting it into the database.
// Sanitize user input before inserting into the database
$param = filter_input(INPUT_GET, 'param', FILTER_SANITIZE_STRING);
// Prepare a SQL statement using prepared statements to prevent SQL injection
$stmt = $pdo->prepare("INSERT INTO table_name (column_name) VALUES (:param)");
$stmt->bindParam(':param', $param);
$stmt->execute();
Related Questions
- What best practices should be followed when designing input forms in PHP to prevent validation errors?
- In what scenarios would generating all possible combinations of array elements be useful in PHP development?
- What are common PHP functions used for validating input formats like birthdates and phone numbers?