Imagine you have a user table and a login form. Usually when a user logs in you want to determine whether he has an account:
THIS IS VERY BAD PHP:
"SELECT * FROM users WHERE username = '$username' AND password = MD5('$password');"
Now you have a user with the username
1';DROP TABLE users;#
What would happen?