How can proper escaping and quoting of user input improve the security and reliability of SQL queries in PHP?

Improper escaping and quoting of user input in SQL queries can lead to SQL injection attacks, where malicious SQL code is injected into the query. To prevent this, user input should be properly escaped and quoted before being included in the query. This can be done using prepared statements or using functions like mysqli_real_escape_string().

// Example of using mysqli_real_escape_string to properly escape user input in a SQL query

// Assume $conn is a mysqli connection object

$user_input = $_POST['user_input']; // User input to be included in the query

$escaped_input = mysqli_real_escape_string($conn, $user_input);

$query = "SELECT * FROM users WHERE username='$escaped_input'";

$result = mysqli_query($conn, $query);

// Process the query result