This wikiHow teaches you how to prevent SQL injection using Prepared Statements in PHP. SQL injection is one of the most common vulnerabilities in Web applications today. Prepared Statements use bound parameters and do not combine variables with SQL strings, making it impossible for an attacker to modify the SQL statement.

Prepared Statements combine the variable with the compiled SQL statement, so that the SQL and the variables are sent separately. The variables are then interpreted as mere strings and not part of the SQL statement. Using the methods in the steps below, you will not need to use any other SQL injection filtering techniques such as the mysql_real_escape_string().^[1]