A way you can protect your code against SQL injections is using prepared statements.
Prepared statements are precompiled SQL commands.
Using MySQLi Object-Oriented:
<?php
$conn = new mysqli($servername, $username, $password, $dbname);
$query = $conn->prepare('SELECT * FROM student WHERE name = ?');
$query->bind_param('s', $name); // 's' specifies the variable type string