If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example:

$unsafe_variable = $_POST['user_input']; 
 
mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");

That's because the user can input something like

value'); DROP TABLE table;--

and the query becomes:

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE TABLE;--')