What are the advantages of using prepared statements over directly embedding variables in SQL queries?

Using prepared statements in SQL queries helps prevent SQL injection attacks by separating the SQL query logic from the user input data. This means that user input data is treated as data rather than executable code, making it safer to insert variables into SQL queries. Prepared statements also improve performance by allowing the database to optimize the query execution plan.

// Using prepared statements in PHP with PDO
$pdo = new PDO("mysql:host=localhost;dbname=mydatabase", "username", "password");

// Prepare a SQL query
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username");

// Bind parameters
$stmt->bindParam(':username', $username, PDO::PARAM_STR);

// Execute the query
$stmt->execute();

// Fetch results
$results = $stmt->fetchAll(PDO::FETCH_ASSOC);