What are common syntax errors to avoid when using PHP for MySQL queries?

One common syntax error to avoid when using PHP for MySQL queries is not properly escaping strings in the query. This can lead to SQL injection attacks and unexpected behavior. To prevent this, always use prepared statements with placeholders for dynamic data.

// Incorrect way without using prepared statements
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysqli_query($connection, $query);

// Correct way using prepared statements
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM users WHERE username=? AND password=?";
$stmt = mysqli_prepare($connection, $query);
mysqli_stmt_bind_param($stmt, "ss", $username, $password);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);