$username = mysqli_real_escape_string($db, $_POST['username']); $password = mysqli_real_escape_string($db, $_POST['password']); $query = "SELECT * FROM users WHERE username='$username' AND password='$password'"; $result = mysqli_query($db, $query);
$id = (int)$_GET['id']; $query = "SELECT * FROM articles WHERE id=$id"; $result = mysqli_query($db, $query);In this example, the (int) typecast function is used to convert a URL parameter to an integer data type. This prevents SQL injection attacks where an attacker could inject SQL code into the URL parameter. Package/Library: PHP has several built-in functions and extensions that can be used for database sanitization including mysqli, PDO, filter_var, and htmlspecialchars. Additionally, there are several third-party libraries that can be used such as inputfilter.php and SafeMySQL.