What are the best practices for handling user input in PHP to prevent code injection?

To prevent code injection in PHP, it is essential to sanitize and validate user input before using it in any database queries or outputting it to the browser. One common approach is to use functions like `mysqli_real_escape_string()` to escape special characters in user input. Additionally, using prepared statements with parameterized queries can help prevent SQL injection attacks.

// Sanitize user input to prevent code injection
$user_input = mysqli_real_escape_string($connection, $_POST['user_input']);

// Prepare a SQL statement using a parameterized query
$stmt = $connection->prepare("SELECT * FROM users WHERE username = ?");
$stmt->bind_param("s", $user_input);
$stmt->execute();
$result = $stmt->get_result();

// Output the sanitized user input
echo "User input: " . htmlspecialchars($user_input);