👋 Hey there, PHP developer! SQL injection is one of the most dangerous and common web vulnerabilities. It allows hackers to manipulate your SQL queries and gain unauthorized access to your database. But don’t worry—there’s a reliable solution: prepared statements. In this blog post, we’ll learn how to prevent SQL injection with prepared statements, especially using PHP and MySQLi/PDO. Whether you’re a beginner or brushing up on security practices, this guide will walk you through everything you need to know with simple, practical examples.

🛑 What is SQL Injection?

SQL Injection is a type of attack where the attacker inserts or “injects” malicious SQL code into a query. This happens when user input is directly concatenated into a query string.

Example of a Vulnerable Query

$username = $_POST['username'];
$password = $_POST['password'];

$query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";

$username = $_POST['username'];
$password = $_POST['password'];

$query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";

If an attacker enters ' OR '1'='1 as both the username and password, the query becomes:

SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '' OR '1'='1'

SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '' OR '1'='1'

This will always return true, allowing unauthorized access!

💡 Why Prepared Statements?

Prepared statements solve this problem by separating SQL logic from data input. Instead of embedding variables directly into the query string, placeholders are used. These are then safely replaced with actual values during execution—eliminating the risk of injection.

🔒 How to Prevent SQL Injection with Prepared Statements in PHP

Let’s explore how prepared statements work using both MySQLi and PDO—the two most popular database access methods in PHP.

🧰 Using MySQLi Prepared Statements

MySQLi (MySQL Improved) offers both object-oriented and procedural ways to use prepared statements.

Example: Object-Oriented MySQLi Prepared Statement

$mysqli = new mysqli("localhost", "root", "", "testdb");

if ($mysqli->connect_error) {
    die("Connection failed: " . $mysqli->connect_error);
}

$stmt = $mysqli->prepare("SELECT * FROM users WHERE username = ? AND password = ?");
$stmt->bind_param("ss", $username, $password); // 'ss' means two string parameters

$username = $_POST['username'];
$password = $_POST['password'];

$stmt->execute();
$result = $stmt->get_result();

if ($result->num_rows > 0) {
    echo "Login successful!";
} else {
    echo "Invalid credentials.";
}

$stmt->close();
$mysqli->close();

$mysqli = new mysqli("localhost", "root", "", "testdb");

if ($mysqli->connect_error) {
    die("Connection failed: " . $mysqli->connect_error);
}

$stmt = $mysqli->prepare("SELECT * FROM users WHERE username = ? AND password = ?");
$stmt->bind_param("ss", $username, $password); // 'ss' means two string parameters

$username = $_POST['username'];
$password = $_POST['password'];

$stmt->execute();
$result = $stmt->get_result();

if ($result->num_rows > 0) {
    echo "Login successful!";
} else {
    echo "Invalid credentials.";
}

$stmt->close();
$mysqli->close();

Explanation:

• prepare(): Prepares the SQL query with placeholders.
• bind_param(): Binds input values to the placeholders.
• execute(): Runs the prepared query safely.
• This approach escapes special characters automatically and securely.

🛠 Using PDO Prepared Statements

PDO (PHP Data Objects) is another database access library that supports multiple database types.

Example: PDO Prepared Statement

try {
    $pdo = new PDO("mysql:host=localhost;dbname=testdb", "root", "");
    $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    $stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username AND password = :password");

    $stmt->bindParam(':username', $username);
    $stmt->bindParam(':password', $password);

    $username = $_POST['username'];
    $password = $_POST['password'];

    $stmt->execute();

    if ($stmt->rowCount() > 0) {
        echo "Login successful!";
    } else {
        echo "Invalid credentials.";
    }

} catch (PDOException $e) {
    echo "Error: " . $e->getMessage();
}

try {
    $pdo = new PDO("mysql:host=localhost;dbname=testdb", "root", "");
    $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    $stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username AND password = :password");

    $stmt->bindParam(':username', $username);
    $stmt->bindParam(':password', $password);

    $username = $_POST['username'];
    $password = $_POST['password'];

    $stmt->execute();

    if ($stmt->rowCount() > 0) {
        echo "Login successful!";
    } else {
        echo "Invalid credentials.";
    }

} catch (PDOException $e) {
    echo "Error: " . $e->getMessage();
}

Benefits of PDO:

• Supports multiple databases (MySQL, SQLite, PostgreSQL, etc.).
• Named placeholders (:username) are easier to read.
• Exception handling with try-catch makes debugging easier.

Common Mistakes to Avoid

Concatenating Input into SQL Strings

// Never do this!
$sql = "DELETE FROM users WHERE id = " . $_GET['id'];

// Never do this!
$sql = "DELETE FROM users WHERE id = " . $_GET['id'];

Use prepared statements with placeholders instead.

Trusting Client-Side Validation

JavaScript validation can be bypassed. Always validate and sanitize data on the server side before database operations.

Forgetting to Bind Parameters

Prepared statements are only safe when you bind values. If you prepare a statement but don’t bind the variables, it’s not safe.

Best Practices for Using Prepared Statements

✅ Use Parameterized Queries Everywhere

Apply prepared statements to all database queries that include user input, even for things like search, filtering, or updates.

✅ Hash Passwords Before Storing

Never store plain-text passwords. Use password_hash() and password_verify() in PHP for secure authentication.

$hashedPassword = password_hash($password, PASSWORD_DEFAULT);

$hashedPassword = password_hash($password, PASSWORD_DEFAULT);

✅ Escape Output, Not Input

Use escaping (like htmlspecialchars()) for output displayed on pages—not as a defense against SQL injection.

🛡️ Why SQL Injection Prevention Matters

Still not convinced? SQL injection can lead to:

• Data theft or leakage
• Full server compromise
• Unauthorized admin access
• Irreparable brand damage

According to OWASP, injection attacks remain among the top 10 web security threats worldwide.

👨‍💻 Real-World Scenario

Imagine running an eCommerce website. If you don’t secure the login form and a hacker gets in, they could:

• View customer credit card data
• Delete orders or product listings
• Inject malware into the site

With prepared statements, you seal that door shut.

FAQs About SQL Injection and Prepared Statements

1. What databases support prepared statements?

Most major DBMS like MySQL, PostgreSQL, SQLite, and SQL Server support them via drivers or abstraction layers like PDO.

2. Is escaping input enough to prevent SQL injection?

No. Escaping helps but is not foolproof. Prepared statements are the gold standard for preventing SQL injection.

3. Are prepared statements slower?

Not really. In fact, they’re often faster for repeated queries and definitely worth the micro-delay for the massive security boost.

4. Should I still validate inputs?

Absolutely! Prepared statements prevent SQL injection, but you still need input validation to prevent XSS, logic errors, or bad data.

🎯 Final Thoughts

SQL injection is a serious threat—but it’s also completely preventable. By using prepared statements, you can protect your web application and users from this common attack. Whether you’re working with MySQLi or PDO, the key takeaway is clear: never insert raw user input directly into SQL queries.

So the next time you write a database query, remember: prepare it, bind it, and stay secure.

If you found this helpful, don’t forget to check out our detailed guide on Handling User Input in PHP to further secure your forms and processes.

Happy (and safe) coding! 🔐💻