What potential security risks are involved in the provided PHP code for checking customer authorization?

The provided PHP code is vulnerable to SQL injection attacks due to the direct concatenation of user input into the SQL query. To mitigate this risk, you should use prepared statements with parameterized queries to prevent malicious input from altering the query structure.

// Original vulnerable code
$username = $_POST['username'];
$password = $_POST['password'];
$sql = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysqli_query($conn, $sql);

// Fixed code using prepared statements
$username = $_POST['username'];
$password = $_POST['password'];
$sql = "SELECT * FROM users WHERE username=? AND password=?";
$stmt = $conn->prepare($sql);
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
$result = $stmt->get_result();