What are the potential security risks of using user input directly in a SQL query in PHP?

Using user input directly in a SQL query in PHP can lead to SQL injection attacks, where malicious users can manipulate the query to access or modify sensitive data. To prevent this, you should always use prepared statements with parameterized queries in PHP to sanitize and validate user input before executing the SQL query.

// Sample code to prevent SQL injection using prepared statements
$mysqli = new mysqli(&quot;localhost&quot;, &quot;username&quot;, &quot;password&quot;, &quot;database&quot;);

// Check connection
if ($mysqli-&gt;connect_error) {
    die(&quot;Connection failed: &quot; . $mysqli-&gt;connect_error);
}

// Prepare a SQL query using a parameterized statement
$stmt = $mysqli-&gt;prepare(&quot;SELECT * FROM users WHERE username = ?&quot;);
$stmt-&gt;bind_param(&quot;s&quot;, $username);

// Set the user input after sanitizing and validating it
$username = filter_var($_POST[&#039;username&#039;], FILTER_SANITIZE_STRING);

// Execute the prepared statement
$stmt-&gt;execute();

// Process the results
$result = $stmt-&gt;get_result();
while ($row = $result-&gt;fetch_assoc()) {
    // Do something with the data
}

// Close the statement and connection
$stmt-&gt;close();
$mysqli-&gt;close();

Keywords

SQL injection user input validation prepared statements mysqli_real_escape_string security vulnerabilities

What are the potential security risks of using user input directly in a SQL query in PHP?

Keywords

Related Questions