What are the risks of neglecting SQL injection prevention measures, such as using mysql_real_escape_string, when writing PHP scripts that interact with databases?
Neglecting SQL injection prevention measures, such as using mysql_real_escape_string, can leave your PHP scripts vulnerable to malicious attacks where an attacker can manipulate SQL queries to access, modify, or delete data in your database. To prevent this, always sanitize user input before using it in SQL queries. One way to do this is by using prepared statements or escaping user input with functions like mysqli_real_escape_string.
// Using mysqli_real_escape_string to prevent SQL injection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
// Escape user input to prevent SQL injection
$username = mysqli_real_escape_string($conn, $_POST['username']);
$password = mysqli_real_escape_string($conn, $_POST['password']);
// Prepare and bind SQL statement
$stmt = $conn->prepare("SELECT * FROM users WHERE username=? AND password=?");
$stmt->bind_param("ss", $username, $password);
// Execute SQL statement
$stmt->execute();
// Fetch result
$result = $stmt->get_result();
// Process result
if ($result->num_rows > 0) {
// User authenticated
} else {
// User not found
}
// Close statement and connection
$stmt->close();
$conn->close();
Related Questions
- How can you optimize the process of generating a table and populating it with data in PHP?
- What are some troubleshooting steps to identify and resolve discrepancies between PHP configuration files and phpinfo() output?
- What are the advantages and disadvantages of using phpMyAdmin for table display and editing compared to custom PHP code?