What steps can be taken to prevent SQL injection attacks when handling user input in a PHP application?

SQL injection attacks can be prevented by using prepared statements with parameterized queries in PHP. This approach ensures that user input is treated as data rather than executable code, thus protecting the application from malicious SQL injection attempts.

// Establish a connection to the database
$pdo = new PDO('mysql:host=localhost;dbname=mydatabase', 'username', 'password');

// Prepare a SQL statement with a parameterized query
$stmt = $pdo->prepare('SELECT * FROM users WHERE username = :username');

// Bind the user input to the parameter
$stmt->bindParam(':username', $_POST['username']);

// Execute the query
$stmt->execute();

// Fetch the results
$results = $stmt->fetchAll();