Question

I’m developing a web application using PHP, and I’ve read a lot about the dangers of SQL injection attacks. 

I’m currently using raw queries like this in my code:

$query = "SELECT * FROM users WHERE username = '$user_input'";

I know this is vulnerable to SQL injection, but I’m unsure about the best way to secure my application against such attacks. What are the best practices in PHP to prevent SQL injection? Should I be using prepared statements or something else? Any code examples would be helpful to understand how to properly implement security in my SQL queries.

Answer 1

The best way to prevent any SQL injection in PHP is to use prepared statements with parametrized queries. This technique prevents malicious inputs from being executed as SQL code.

Here's an example on how SQL queries can be handles securely using PDO (PHP Data Objects):

<?php
// Establish a connection
$pdo = new PDO('mysql:host=localhost;dbname=testdb', 'username', 'password');

$stmt = $pdo->prepare('SELECT * FROM users WHERE username = :username');
$stmt->bindParam(':username', $user_input);
$stmt->execute();

$results = $stmt->fetchAll();
?>

In this example, the :username placeholder is ensuring that the input is treated as data and not as a executable code.