PHP SQL Injection

SQL Injection in PHP is a security vulnerability that allows an attacker to manipulate SQL queries by injecting malicious input into a form field or URL parameter. If your PHP code directly inserts user input into SQL statements without validation or escaping, attackers can bypass login, steal data, or even delete your database.

Copy<?php
$email = $_GET['email'];
$sql = "SELECT * FROM users WHERE email = '$email'";
$result = mysqli_query($conn, $sql);
?>

This code is unsafe because it directly inserts user input into the SQL query, which makes it vulnerable to SQL Injection attacks. If a user visits your page like this:

https://example.com/page.php?email=' OR '1'='1'

This condition is always true ('1'='1'), so all user records will be returned, even without a valid email.

Why it's dangerous:

• Attackers can bypass login
• Access, modify or delete data
• Drop entire tables (e.g. DROP TABLE users)
• Expose sensitive user information

• Always use prepared statements (MySQLi or PDO)
• Never directly insert user input into SQL queries
• Validate and sanitize input
• Store passwords using password_hash() and password_verify()

This code is safe from SQL Injection because it uses prepared statements with parameter binding — a secure way to handle user input.

- Query is prepared with placeholders (? marks)
- bind_param safely inserts user values
- SQL engine escapes dangerous input automatically

Copy<?php
$conn = new mysqli("localhost", "root", "", "test");
$stmt = $conn->prepare("SELECT * FROM users WHERE email = ?");
$stmt->bind_param("s", $email);
$email = $_GET['email'];
$stmt->execute();
$result = $stmt->get_result();
?>

PDO also protects against SQL Injection by using prepared statements and named parameters like :email.

Copy<?php
$pdo = new PDO("mysql:host=localhost;dbname=test", "root", "");
$stmt = $pdo->prepare("SELECT * FROM users WHERE email = :email");
$stmt->execute(['email' => $_GET['email']]);
$result = $stmt->fetchAll();
?>