The issue: Using userdata in queries often causes users manipulating queries.
<?php
$sql = 'SELECT password FROM user WHERE login = ' . $_GET['login'];
?>
Request: http://example.com/tests/simple.php?login=username+OR+1
The solution: Use databases extensions escape functions
<?php
$sql = 'SELECT password FROM user WHERE login = ' .
mysql_real_escape_string( $_GET['login'] );
?>
Hint: Even better use prepared statements
<?php
$db = new PDO( ... );
$stmt = $db->prepare( 'SELECT password FROM user WHERE login = ?' );
$stmt->execute( array( $_GET['login'] ) );
?>