Prevent SQL injection attacks with prepared statements
Bit of a hot topic lately in my inbox. Here’s what an old, vulnerable query might look like: $expected_data = 1; $query = “SELECT * FROM users where id=$expected_data”; $result = $mysqli->query($query); The problem here is we’re injecting user-submitted data directly into our SQL statement without any sort of escaping or validation. So, a hacker could enter something like this in our form: 1; DROP TABLE users; Changing our full query to: SELECT * FROM users where id=1; DROP TABLE users; Which, as you can probably see, will execute the SELECT statement but then drop our users table. No bueno.