What is the best practice for securely querying a database in PHP using user input?

When querying a database in PHP using user input, it is crucial to sanitize and validate the input to prevent SQL injection attacks. The best practice is to use prepared statements with parameterized queries, which separate the SQL query from the user input. This helps to ensure that the user input is treated as data rather than executable code.

// Establish a database connection
$pdo = new PDO(&#039;mysql:host=localhost;dbname=mydatabase&#039;, &#039;username&#039;, &#039;password&#039;);

// Sanitize and validate user input
$userInput = $_POST[&#039;input&#039;];
$userInput = filter_var($userInput, FILTER_SANITIZE_STRING);

// Prepare a SQL statement with a parameterized query
$stmt = $pdo-&gt;prepare(&quot;SELECT * FROM mytable WHERE column = :input&quot;);

// Bind the user input to the parameter
$stmt-&gt;bindParam(&#039;:input&#039;, $userInput);

// Execute the query
$stmt-&gt;execute();

// Fetch the results
$results = $stmt-&gt;fetchAll(PDO::FETCH_ASSOC);

// Use the results as needed
foreach ($results as $row) {
    // Process each row
}

Keywords

SQL injection prepared statements PDO mysqli_real_escape_string parameterized queries

What is the best practice for securely querying a database in PHP using user input?

Keywords

Related Questions