What are the potential risks of not using prepared statements in PHP when querying a database?

Using prepared statements in PHP when querying a database helps prevent SQL injection attacks by separating SQL code from user input. Without prepared statements, user input is directly concatenated into the SQL query, making it vulnerable to malicious input that can alter the query's logic and potentially compromise the database.

// Using prepared statements to prevent SQL injection
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username");
$stmt->bindParam(':username', $username);
$stmt->execute();