Most SQL-injection articles set a horrible example for young programmers.
Here is a very typical “bad example” of why you need to escape user data before
it goes into SQL queries:
(ed. The symbol « is a line break that’s not in the real code.)
1. $username = $_POST[‘username’]; // username=