• Register
Log In


To Sove this problem you have to follow below steps:

Applying prepared statements and parameterized queries:

These are SQL statements that are transmitted to and parsed by the database server aloof from any parameters. in case you follow this method it is impossible for an attacker to inject malicious SQL.

You originally have to option to acquire this:


1. Employing PDO ( for any approved database driver)

$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');

$stmt->execute([ 'name' => $name ]);

foreach ($stmt as $row) {
    // Do something with $row


2. Employing MySQLi ( for MySQL)

$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name); // 's' specifies the variable type => 'string'


$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // Do something with $row


In case you are linking to a database rather than MySQL, there is a driver-specific 2nd option that you can direct to ( Example given- pg_prepare() and pg_execute() for PostgreSQL ) . Note that: PDO is the universal choice. 

posted Jun 28 in php 12,840 points