Within the world of application development, there is a conspiracy.
$sql = "SELECT * FROM users WHERE username='" . $username . "'"; What’s wrong with this code? The problem is that $username needs to be escaped before it can be put into the SQL statement. If $username contains single quotes, the SQL statement will do something you did not intend. If you already know this, stick around, there’s more to this story.