Stop passing user inputs directly into SQL queries! SANITIZE THEM FIRST!
It's 2017 and I'm still coming across the user's input being passed directly into an SQL query, this a very quick round up of why you should NOT do this.
$user_input = $_POST["user_input"]; $query = "SELECT * FROM sample_table WHERE id = " . $user_input;
You are just asking for trouble with the above, never pass a user's input directly into your SQL without sanitizing or preparing it first.
Just a few examples of why the above is horrendous
// 1 20; UPDATE users SET firstname.lastname@example.org' WHERE username='admin' // 2 20; DROP TABLE sample_table // 3 20 OR 1=1
Take example 1 and 2, they use multiple SQL statements seperated by semicolons which is called batch of SQL statements. Because the users input has not been santised at all, you can easily craft an input value which will wreak havoc with this type of code. A simple ; will start a new SQL statement and in the cases of 1 and 2 above, update an admins email address to that of the attackers or delete any table of the attackers choosing.
Example number 3 will return all rows as
OR 1=1 will always be TRUE resulting in all rows being displayed.
You can find more info about how to sanitize user input here.