Direct SQL Command Injection is a technique where an attacker creates or alters existing SQL commands to expose hidden data, or to override valuable ones, or even to execute dangerous system level commands on the database host.
Using encrypted password fields is strongly encouraged.
Never connect to the database as a superuser or as the database owner. Use always customized users with very limited privileges.
Check if the given input has the expected data type. PHP has a wide range of input validating functions.
Do not print out any database specific information, especially about the schema.
Check Error Reporting and Error Handling and Logging Functions.