PHP Academy · Lesson

SQL Injection and Parameterized Queries

Eliminate injection risks by always using prepared statements with PDO.

What is SQL Injection?

SQL injection occurs when user-supplied data is embedded directly in a SQL query, allowing attackers to manipulate the query to access, modify, or delete data.

Classic Example

Concatenating user input into SQL:

<?php
// VULNERABLE: attacker enters username = "' OR '1'='1"
$sql = "SELECT * FROM users WHERE username = '".$_GET["username"]."'";
// Becomes: SELECT * FROM users WHERE username = '' OR '1'='1'
// Returns ALL users!

All lessons in this course

Cross-Site Scripting (XSS) Prevention
SQL Injection and Parameterized Queries
CSRF Protection
Secure Password Storage

← Back to PHP Academy