Imagine the following line of PHP code:
$db->GetRow("SELECT * FROM users WHERE id = $user_id");
This line is vulnerable to SQL injection, if an attacker controls $user_id
variable.
This is the safe version (using parametrized query):
$db->GetRow("SELECT * FROM users WHERE id