Why This Is Secure

• ✅ **Prepared Statements** block SQL injection by separating code and data.
• ✅ Logic safely checks and redirects users after successful login.
• 🚫 Dangerous input like ' OR '1'='1 has no effect here.

Here’s the actual secure code:

// Avoids injection
$sql = "SELECT * FROM sqlgood WHERE username = ? AND password = ?";
$stmt = $conn->prepare($sql);
$stmt->bind_param("ss", $username, $password);
$stmt->execute();

Try this: attempt to inject something like:

• admin' OR '1'='1 — Won’t work ✅
• admin' AND SLEEP(5)-- — No delay ✅

This demo proves that prepared statements = protection.