Never trust user input.
The most common security vulnerability (OWASP Top 10) is Injection. This happens when an application takes untrusted data from a user (like a form field) and sends it directly to an interpreter (like a SQL database) without validation or escaping.
If an attacker enters `' OR 1=1 --` into a login field, and the server blindly concatenates it into `SELECT * FROM users WHERE user = '` + input + `'`, the resulting query becomes `SELECT * FROM users WHERE user = '' OR 1=1 --'`. Since 1=1 is always true, the attacker logs in as the first user in the database!
' OR 1=1 -- ?# BAD: String Concatenation (SQL Injection)
# Input: "' OR 1=1 --"
# Result: "SELECT * FROM users WHERE email = '' OR 1=1 --'"
db.execute("SELECT * FROM users WHERE email = '" + user_input + "'")
# GOOD: Parameterized Queries (Safe)
# The database treats the input strictly as a literal string value,
# NOT as executable SQL syntax. The ' OR 1=1 is harmless data.
db.execute("SELECT * FROM users WHERE email = ?", (user_input,))