When should backticks (`) be used in prepared statements in PHP?

Backticks (`) should not be used in prepared statements in PHP. Prepared statements should use placeholders (such as ? or :placeholder) to represent data that will be later bound to the statement. Using placeholders helps prevent SQL injection attacks and ensures proper escaping of user input.

// Incorrect usage of backticks in a prepared statement
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = `$username`");

// Correct usage of placeholders in a prepared statement
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username");
$stmt->bindParam(':username', $username);
$stmt->execute();