What is the best practice for handling user input in PHP to prevent SQL injection when sorting a table?

To prevent SQL injection when sorting a table in PHP, the best practice is to use prepared statements with parameterized queries. This ensures that user input is properly sanitized and treated as data rather than executable SQL code.

// Assuming $sortColumn is the user input for the column to sort by
// Assuming $sortOrder is the user input for the order (ASC or DESC)

// Establish a database connection
$pdo = new PDO(&quot;mysql:host=localhost;dbname=mydatabase&quot;, &quot;username&quot;, &quot;password&quot;);

// Prepare a SQL statement with placeholders for user input
$stmt = $pdo-&gt;prepare(&quot;SELECT * FROM mytable ORDER BY $sortColumn $sortOrder&quot;);

// Bind parameters
$stmt-&gt;bindParam(&#039;:sortColumn&#039;, $sortColumn);
$stmt-&gt;bindParam(&#039;:sortOrder&#039;, $sortOrder);

// Execute the statement
$stmt-&gt;execute();

// Fetch the results
$results = $stmt-&gt;fetchAll();

Keywords

PHP user input SQL injection table sorting security

What is the best practice for handling user input in PHP to prevent SQL injection when sorting a table?

Keywords

Related Questions