What potential security issue is present in the provided PHP code snippet?

The potential security issue in the provided PHP code snippet is the use of user input directly in a SQL query without proper sanitization. This leaves the code vulnerable to SQL injection attacks, where malicious users can manipulate the query to perform unauthorized actions on the database. To solve this issue, you should use prepared statements with parameterized queries to safely handle user input.

// Original code snippet with security issue
$username = $_POST[&#039;username&#039;];
$password = $_POST[&#039;password&#039;];

$query = &quot;SELECT * FROM users WHERE username = &#039;$username&#039; AND password = &#039;$password&#039;&quot;;
$result = mysqli_query($conn, $query);

// Fixed code snippet using prepared statements
$username = $_POST[&#039;username&#039;];
$password = $_POST[&#039;password&#039;];

$query = &quot;SELECT * FROM users WHERE username = ? AND password = ?&quot;;
$stmt = $conn-&gt;prepare($query);
$stmt-&gt;bind_param(&quot;ss&quot;, $username, $password);
$stmt-&gt;execute();
$result = $stmt-&gt;get_result();

Keywords

SQL injection user input prepared statements security vulnerability data sanitization

What potential security issue is present in the provided PHP code snippet?

Keywords

Related Questions