SQL Injection
Never concatenate user input into SQL. Use PDO or MySQLi prepared statements to separate code from data.
PHP
Beginner
4 min read
SQL Injection Prevention
Example
// Vulnerable
$sql = "SELECT * FROM users WHERE email = '" . $_GET["email"] . "'";
// Safe: PDO prepared statement
$stmt = $pdo->prepare("SELECT * FROM users WHERE email = :email AND active = 1");
$stmt->execute(["email" => $_GET["email"]]);
$user = $stmt->fetch();
// Laravel Eloquent (parameterised automatically)
$user = User::where("email", request("email"))->first(); Pro Tip
Prepared statements send SQL structure and data separately — injection is structurally impossible.