What are the best practices for avoiding SQL injection in PHP applications?

When user input is directly included in an SQL command, the application risks SQL injection attacks. For instance, consider this vulnerable code snippet:

$input_data = $_POST['user_input']; 

mysql_query("INSERT INTO `table_name` (`field_name`) VALUES ('$input_data')");

A malicious user could submit data like sample'); DROP TABLE table_name;--, resulting in:

INSERT INTO `table_name` (`field_name`) VALUES('sample'); DROP TABLE table_name;--'

How can developers secure their PHP applications against such threats?

Hey there! have you ever thought about the practicality of using stored procedures as a way to stop SQL injections? It can separate SQL logic from input, potentially making things more secure. Do you think it’s enough, or would you pair it with other measures? I’m curious to hear more thoughts.