What are the potential security risks associated with using MySQL queries directly in PHP code?

When using MySQL queries directly in PHP code, there is a risk of SQL injection attacks if user input is not properly sanitized. To mitigate this risk, it is important to use prepared statements with parameterized queries to prevent malicious SQL code from being injected into the query.

// Using prepared statements to prevent SQL injection
$mysqli = new mysqli(&quot;localhost&quot;, &quot;username&quot;, &quot;password&quot;, &quot;database&quot;);

// Check connection
if ($mysqli-&gt;connect_error) {
    die(&quot;Connection failed: &quot; . $mysqli-&gt;connect_error);
}

// Prepare a SQL statement
$stmt = $mysqli-&gt;prepare(&quot;SELECT * FROM users WHERE username = ?&quot;);

// Bind parameters
$stmt-&gt;bind_param(&quot;s&quot;, $username);

// Set parameters and execute
$username = $_POST[&#039;username&#039;];
$stmt-&gt;execute();

// Get result
$result = $stmt-&gt;get_result();

// Fetch data
while ($row = $result-&gt;fetch_assoc()) {
    // Do something with the data
}

// Close statement and connection
$stmt-&gt;close();
$mysqli-&gt;close();

Keywords

SQL injection prepared statements PDO mysqli data validation

What are the potential security risks associated with using MySQL queries directly in PHP code?

Keywords

Related Questions