A way you can protect your code against SQL injections is using prepared statements.
Prepared statements are precompiled SQL commands.
Using MySQLi Object-Oriented:
<?php
$conn = new mysqli($servername, $username, $password, $dbname);
$query = $conn->prepare('SELECT * FROM student WHERE name = ?');
$query->bind_param('s', $name); // 's' specifies the variable type string
$query->execute();
$result = $query->get_result();
while ($row = $result->fetch_assoc()) {
// Do something with $row
}
$conn->close();
?>