What are the benefits of using prepared statements in PHP for database queries instead of directly inserting user input?

Using prepared statements in PHP for database queries helps prevent SQL injection attacks by separating SQL code from user input. This way, user input is treated as data rather than executable code, making it safer to insert into SQL queries. Prepared statements also improve performance by allowing the database to optimize query execution.

// Using prepared statements to insert user input into a database table
$pdo = new PDO("mysql:host=localhost;dbname=mydatabase", "username", "password");

$name = $_POST['name'];
$email = $_POST['email'];

$stmt = $pdo->prepare("INSERT INTO users (name, email) VALUES (:name, :email)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':email', $email);
$stmt->execute();