Why is it recommended to use prepared statements instead of directly executing SQL queries in PHP?

Using prepared statements in PHP helps prevent SQL injection attacks by separating SQL code from user input. Prepared statements also improve performance by allowing the database to optimize the query execution plan. Additionally, prepared statements make it easier to reuse the same query with different parameters.

// Using prepared statements to prevent SQL injection
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username");
$stmt->bindParam(':username', $username);
$stmt->execute();