The biggest worry you have when dealing with SQL and your database queries is the risk of SQL injection.
SQL injection is an attack technique that tries to take advantage of an SQL query by inserting other unexpected queries into it. Typically, this is done by taking advantage of incorrectly-filtered string literals in a PHP, or other programming language, script.
Let's consider what this would mean if our code was insecure.
Let's say we have a fictitious script that takes an integer value (representing a user ID value in a user data table) from a form or direct URL parameter, and uses it. For example:
http://[oursite]/processuser.php?userid=4
Now, let's say our script looked similar to the following (remember this is fictional; don't really do this! This is a big security hole!):
<?php require_once('config.php'); $username = $_GET['username']; $sql = "SELECT * FROM {$CFG->prefix}user WHERE username = $username"; $user = get_record_sql($sql...