SQL injection โ injecting malicious SQL through user input. OWASP Top 10 #1.
Example
WHERE name='$name' โ user enters admin' OR '1'='1 โ logs in as admin.
Only right way: Prepared Statements
PDO: $st->prepare(...); $st->execute([$name]).
What NOT to do
String concatenation, mysql_real_escape โ outdated.
ORM
Eloquent, Doctrine โ auto prepared.