What security vulnerability is present in the provided PHP code snippet that deals with database queries?

The security vulnerability present in the provided PHP code snippet is the use of concatenation to build SQL queries, which makes the code susceptible to SQL injection attacks. To solve this issue, it is recommended to use prepared statements with parameterized queries to prevent malicious input from being executed as SQL commands. 

// Vulnerable code snippet
$username = $_POST['username'];
$password = $_POST['password'];

$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysqli_query($connection, $query);

// Fixed code snippet using prepared statements
$username = $_POST['username'];
$password = $_POST['password'];

$query = "SELECT * FROM users WHERE username=? AND password=?";
$stmt = mysqli_prepare($connection, $query);
mysqli_stmt_bind_param($stmt, "ss", $username, $password);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);

Keywords

SQL injection prepared statements mysqli_real_escape_string input validation security vulnerability

Related Questions