How can PHP developers ensure the security of their database queries when accepting user input for record retrieval?

To ensure the security of database queries when accepting user input for record retrieval, PHP developers should use prepared statements with parameterized queries. This approach helps prevent SQL injection attacks by separating SQL code from user input. By binding parameters to placeholders in the query, developers can ensure that user input is treated as data rather than executable code.

// Establish a database connection
$pdo = new PDO('mysql:host=localhost;dbname=mydatabase', 'username', 'password');

// User input
$userInput = $_GET['user_input'];

// Prepare a SQL statement with a parameterized query
$stmt = $pdo->prepare('SELECT * FROM users WHERE username = :username');
$stmt->bindParam(':username', $userInput);
$stmt->execute();

// Fetch the results
$results = $stmt->fetchAll();

// Process the results
foreach ($results as $row) {
    // Output or process each row
}