PHP is the backbone for several out-of-the-box solutions such as WordPress. When writing new extensions and plugins for WordPress sites, developers will likely create inline SQL statements. These statements are built from the front-end and sent back to the SQL database. If these statements are malformed, you run the risk of leaving your site open to SQL injection.
There are two ways to avoid this. The first way (and the most preferred) is by using prepared statements. The second is by using parameterized queries. The following statement builds on user input from a form:
<?php
$stmt = ("SELECT * FROM users WHERE firstname = '".$firstname."';");
$stmt = $dbConnection->prepare('SELECT * FROM users WHERE firstname = ?');
$stmt->bind_param('s', $firstname); $stmt->execute();
?>https://www.upwork.com/hiring/development/common-mistakes-avoid-php-programming/