never trust your user
// Wrong way ❌
$userId = $_GET['user_id'];
$query = "SELECT * FROM users WHERE id = " . $userId;
// Right way ✅
$userId = filter_input(INPUT_GET, 'user_id', FILTER_VALIDATE_INT);
if ($userId === false) {
throw new InvalidArgumentException('Invalid user ID');
}
$query = $pdo->prepare("SELECT * FROM users WHERE id = ?");
$query->execute([$userId]);