What are common pitfalls when using SQL queries in PHP?

One common pitfall when using SQL queries in PHP is not properly sanitizing user input, which can leave your application vulnerable to SQL injection attacks. To prevent this, always use prepared statements with parameterized queries to securely pass user input into your SQL queries. Example PHP code snippet using prepared statements:

// Connect to database
$pdo = new PDO('mysql:host=localhost;dbname=mydatabase', 'username', 'password');

// Prepare SQL statement with placeholders
$stmt = $pdo->prepare('SELECT * FROM users WHERE username = :username');

// Bind parameter values
$stmt->bindParam(':username', $_POST['username']);

// Execute the query
$stmt->execute();

// Fetch results
$results = $stmt->fetchAll();

// Loop through results
foreach ($results as $row) {
    echo $row['username'] . '<br>';
}