What are the potential security risks of directly passing parameters via URL and inserting them into a MySQL database in PHP?

Passing parameters directly via URL and inserting them into a MySQL database in PHP can lead to SQL injection attacks, where malicious code is injected into the database query. To mitigate this risk, it is important to sanitize and validate user input before inserting it into the database.

// Sanitize user input before inserting into the database
$param = filter_input(INPUT_GET, 'param', FILTER_SANITIZE_STRING);

// Prepare a SQL statement using prepared statements to prevent SQL injection
$stmt = $pdo->prepare("INSERT INTO table_name (column_name) VALUES (:param)");
$stmt->bindParam(':param', $param);
$stmt->execute();