A major source of security headaches in web applications has been SQL injection attacks. SQL injections can occur when user-supplied data is not properly escaped and sanitized before being inserted into an SQL command. Malicious users could use this as an opportunity to run arbitrary commands on the database, either exposing sensitive data, or performing destructive actions such as altering or removing data.
Fortunately, this is an easy problem to solve. Indeed, one could manually sanitize all user input before concatenating those inputs into SQL queries, but that is tedious and prone to human error (forgetting to sanitize one portion of the application could still leave it vulnerable to attack). The preferred way to guard against SQL injection is to use prepared statements.
Prepared statements (or parameterized statements) are just like regular SQL queries. The only difference is, instead of directly inserting the user-supplied parameters...