PHPprogramming~30 mins

Preventing injection with prepared statements in PHP - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Preventing injection with prepared statements

📖 Scenario: You are building a simple PHP script to safely insert user data into a database. This is important to stop bad people from messing with your database by typing harmful commands.

🎯 Goal: You will create a PHP script that uses prepared statements to safely add a user's name and email into a database table called users.

📋 What You'll Learn

Create a PDO connection to a MySQL database

Prepare an SQL INSERT statement with placeholders

Bind user input variables to the prepared statement

Execute the prepared statement safely

Print a success message after insertion

💡 Why This Matters

🌍 Real World

Prepared statements are used in real websites to keep user data safe and stop hackers from changing the database.

💼 Career

Knowing how to prevent SQL injection is a key skill for web developers and backend programmers working with databases.

Progress0 / 4 steps

Set up the database connection

Create a variable called $pdo that connects to a MySQL database named testdb on localhost with username root and password password using PDO.

PHP

<?php
// Create the PDO connection to MySQL
// Your code here

Need a hint?

Use new PDO() with the DSN string for MySQL, username, and password.

Prepare the SQL statement

Create a variable called $stmt that prepares the SQL INSERT statement INSERT INTO users (name, email) VALUES (:name, :email) using the $pdo connection.

PHP

<?php
$pdo = new PDO('mysql:host=localhost;dbname=testdb', 'root', 'password');
// Prepare the SQL statement with placeholders
// Your code here

Need a hint?

Use $pdo->prepare() with the SQL string containing :name and :email placeholders.

Bind values and execute the statement

Create variables $name with value 'Alice' and $email with value 'alice@example.com'. Then bind these variables to the prepared statement $stmt using bindParam for :name and :email. Finally, execute the statement.

PHP

prepare('INSERT INTO users (name, email) VALUES (:name, :email)');
// Create variables and bind them to the statement
// Your code here

Need a hint?

Use bindParam to connect variables to placeholders, then call execute().

Print success message

Write a print statement that outputs 'User added successfully.' after the statement executes.

PHP

prepare('INSERT INTO users (name, email) VALUES (:name, :email)');
$name = 'Alice';
$email = 'alice@example.com';
$stmt->bindParam(':name', $name);
$stmt->bindParam(':email', $email);
$stmt->execute();
// Print success message
// Your code here

Need a hint?

Use print('User added successfully.'); to show the message.