What potential security risks are associated with directly inserting user input into a database query in PHP?

Directly inserting user input into a database query in PHP can lead to SQL injection attacks, where malicious users can manipulate the query to access or modify sensitive data. To prevent this, you should always use prepared statements with parameterized queries to sanitize and validate user input before executing the query.

// Using prepared statements to prevent SQL injection
$pdo = new PDO(&quot;mysql:host=localhost;dbname=myDB&quot;, &quot;username&quot;, &quot;password&quot;);

// User input
$userInput = $_POST[&#039;user_input&#039;];

// Prepare a SQL statement
$stmt = $pdo-&gt;prepare(&quot;SELECT * FROM users WHERE username = :username&quot;);

// Bind parameters
$stmt-&gt;bindParam(&#039;:username&#039;, $userInput);

// Execute the query
$stmt-&gt;execute();

// Fetch the results
$results = $stmt-&gt;fetchAll(PDO::FETCH_ASSOC);

// Process the results
foreach ($results as $row) {
    // Process each row
}

Keywords

SQL injection user input validation prepared statements PDO data sanitization

What potential security risks are associated with directly inserting user input into a database query in PHP?

Keywords

Related Questions