What are some potential pitfalls when using MySQL queries in PHP, as seen in the provided code snippet?
One potential pitfall when using MySQL queries in PHP is the risk of SQL injection attacks if user input is not properly sanitized. To prevent this, it is important to use prepared statements or parameterized queries to securely pass user input to the database.
// Original code snippet
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
$result = mysqli_query($conn, $query);
// Fixed code snippet using prepared statements
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM users WHERE username = ? AND password = ?";
$stmt = mysqli_prepare($conn, $query);
mysqli_stmt_bind_param($stmt, 'ss', $username, $password);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);