What are the implications of using query() instead of prepared statements in PDO for executing SELECT statements in PHP?

Using query() instead of prepared statements in PDO for executing SELECT statements can leave your application vulnerable to SQL injection attacks. Prepared statements help prevent this by separating SQL code from user input. To fix this issue, always use prepared statements when executing SQL queries in PDO.

// Using prepared statements to execute a SELECT query in PDO
$pdo = new PDO("mysql:host=localhost;dbname=mydatabase", "username", "password");

$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username");
$stmt->bindParam(':username', $username);
$stmt->execute();

$results = $stmt->fetchAll(PDO::FETCH_ASSOC);