Using placeholder like ".username" and binding user data via function like "bindingParam ()" ensure that input is treated purely as data,preventing it from being executed as milicious SQL code.