Let's say I have a website I created with pure PHP, no frameworks, nothing additional, just PHP and libraries. How can I protect my website against SQL Injection? Does PHP have something built-in to protect that or do I need to do anything additional?

Now you need to make a few changes in the previous code. Make a function like:

<?php
function BlockSQLInjection($str)
{
return str_replace(array("'",""","'",'"'),array("'","&quot;"'","&quot;",$str));
}
?>

Through the above statement, str_replace() function will replace all characters in the string. Now you will use the function as follows:

<?php
$userName=BlockSQLInjection($_POST['userName']);
$password=BlockSQLInjection($_POST['password']);
?>

These functions will help you avoid SQL injection vulnerabilities.

Apart from the coding part, it is very preferable to enable WAF(Web Application Firewall )Support to protect the website against SQL Injection and other common vulnerabilities.

Yes php is hardened to avoid sql attacks with mysql hardening as well

SQL injection is a code injection technique that might destroy your database. ... SQL injection is the placement of malicious code in SQL statements, via web page input.

SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. This information may include any number of items, including sensitive company data, user lists or private customer details.