$sql = "SELECT * FROM users WHERE id = $user_id"; $result = mysql_query($sql);
$sql = "INSERT INTO products (name, price, category) VALUES ('$product_name', $price, '$category')"; $result = mysqli_query($conn, $sql);This example inserts a new product record into the products table. The values for the name, price and category columns are taken from PHP variables. Again, the query is executed using the unprepared function mysqli_query(), which does not prepare or bind any parameters. This example uses the mysqli database driver. In both examples, the use of unprepared queries leaves the code vulnerable to SQL injection attacks, where malicious SQL code can be injected into the queries and executed by the database. It is generally recommended to use prepared statements or parameter binding to secure database queries. The package library used in these examples is not clear as they use different database extensions - mysql and mysqli. It is recommended to use PDO library for database connectivity as it provides a unified interface to work with different database drivers.