What are the potential pitfalls of not using prepared statements in PHP when interacting with a database?
Potential pitfalls of not using prepared statements in PHP when interacting with a database include SQL injection attacks, which can lead to unauthorized access or manipulation of data. Prepared statements help prevent this by separating SQL code from user input, ensuring that input is treated as data rather than executable code.
// Using prepared statements to prevent SQL injection
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username");
$stmt->bindParam(':username', $username);
$stmt->execute();