without using parameterised query to escape sql injection, will this method not work?
you could probably test it to see
Make the name variable equal to:
let name = "\`;console.log(connection);\`"
Possibly something like that. If you see a new log message, then someone can inject into $name code and make it run.
Your code on line 7 has a critical SQL Injection flaw (WHERE username='${name}'). You must use parameterized queries to fix the code immediately.
That said, code is only part of the solution. I learned this the hard way. You might find this helpful. I fixed all my SQLi vulnerabilities with prepared statements, but later, one of my client sites still got hit because I missed a critical OS security patch. Admin failure on my part.
So I guess what I’m trying to say is, you need to go beyond the code. Strong server side WAF and automated OS patching are very imp. If you go for a managed host, for example cloudways, kinsta, WPengine, patches and firewalls will be implemented for you.