---
title: Always Use Parameterized Queries
impact: CRITICAL
impactDescription: prevents SQL injection attacks
tags: injection, sql, database, parameterized, security, php
---

## Always Use Parameterized Queries

SQL injection is one of the top security vulnerabilities in PHP applications. Direct string concatenation or using variables directly in SQL strings allows attackers to execute arbitrary database commands, steal data, or destroy databases.

**Incorrect (string concatenation):**

```php
// SQL Injection vulnerability
$userId = $_GET['id'];
$query = "SELECT * FROM users WHERE id = '" . $userId . "'";
$result = $conn->query($query);

// Attacker input: ' OR '1'='1
// Resulting query: SELECT * FROM users WHERE id = '' OR '1'='1'
// Returns ALL users!
```

**Correct (parameterized queries):**

```php
// Using PDO (Recommended)
$userId = $_GET['id'];
$stmt = $pdo->prepare("SELECT * FROM users WHERE id = :id");
$stmt->execute(['id' => $userId]);
$user = $stmt->fetch();

// Using MySQLi (Prepared Statements)
$stmt = $conn->prepare("SELECT * FROM users WHERE id = ?");
$stmt->bind_param("s", $userId);
$stmt->execute();
$result = $stmt->get_result();

// Using Laravel Eloquent (Safe by default)
$user = User::where('id', $userId)->first();
```

**Tools:** PHPStan (DBA extension), SonarQube (S2077, S3649), Psalm, Semgrep