SQL injection is a security vulnerability that occurs when user-supplied input is not properly sanitized and is used to create dynamic SQL statements. To prevent SQL injection attacks in PHP, you can use prepared statements and parameterized queries.
Prepared statements and parameterized queries are a way to send SQL queries to the database with placeholders for parameters, and then pass the parameters separately. This helps to prevent SQL injection attacks by ensuring that user-supplied input is properly escaped and quoted.
Here’s an example of how to use prepared statements and parameterized queries in PHP to prevent SQL injection:
$stmt = $db->prepare('SELECT * FROM users WHERE username = ? AND password = ?');
$stmt->bind_param('ss', $username, $password);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
// Do something with the row
}
In this example, we use the $db->prepare()
method to create a prepared statement with placeholders for the username
and password
parameters. Then, we use the bind_param()
method to bind the values of the $username
and $password
variables to the placeholders in the prepared statement.
Finally, we use the execute()
method to execute the prepared statement, and we use the get_result()
method to retrieve the results of the query.