Security is easy to overlook, especially when starting out. SQL injections are extremely dangerous. Let’s say you write this in your code:
<?php
"SELECT first_name FROM users WHERE id = " .$input['user_id'] . ";"
$stmt = $pdo->prepare("SELECT first_name FROM users WHERE id = :user_id");
$stmt->bindParam(':user_id', $input['user_id']);
?>