For security reasons, I'm trying to learn more about how PHP stores variables. PHP is a server side language, yes, but I imagine when someone is editting a php variable it stays on the local machine before being sent in POST. So if I set a variable in my PHP code ($foo = "bar"), and want it to submit it in a later mysqli query, what stops someone from changing $foo to a different string value using some kind of external program before being later submitted? How would I stop this if that is the case?
In order to stop someone from changing the variable you can change the variable $foo = "bar" to constant variable as ( const $foo = "bar" ). For more explanation go to the link below http://php.net/manual/en/function.constant.php
You are concerning about the man-in-the-middle attack here. SSLs are meant for this and you can make encrypted GET and POST requests to prevent these risks if the data is really sensitive. Otherwise, if you are just concerning about the MySQL injections, then you will have to make your server-side code secure in order to prevent the injections.