How can I prevent SQL injection in PHP?

There are several ways to prevent SQL injection attacks in PHP:

1. Use prepared statements and parameterized queries: These are SQL statements that are sent to the database separately from any parameters. This helps to prevent attackers from injecting malicious code into your SQL statement.

   $pdo = new PDO('mysql:host=localhost;dbname=test', 'user', 'pass');
   $stmt = $pdo->prepare('SELECT * FROM users WHERE email = :email');
   $stmt->execute(['email' => $userInput]);

2. Use stored procedures: Stored procedures are pre-compiled SQL statements that are stored in the database. They can help reduce SQL injection risk, but only if they are called with parameterized inputs rather than string concatenation.
3. Validate user input: Make sure to validate all user input to ensure that it matches expected formats. This can be done using functions such as filter_var() or strict type checking. Validation reduces the attack surface but does not replace database-level protections.
4. Use database escaping functions: Functions like mysqli_real_escape_string() can escape special characters, but they are error-prone and considered legacy. Note that htmlspecialchars() and htmlentities() prevent Cross-Site Scripting (XSS), not SQL injection, and should be used for output encoding instead.
5. Use an ORM (Object-Relational Mapper): ORMs such as Doctrine or Eloquent can help to prevent SQL injection attacks by automatically escaping user input and using prepared statements.
6. Use a web application firewall: A web application firewall (WAF) can help to protect your application from SQL injection attacks by monitoring and blocking suspicious traffic.

By following these best practices, you can significantly reduce the risk of SQL injection attacks in your PHP application.