# we expect $user_id to be a user_id, but we dont' check it.
$dbh->prepare("DELETE FROM foo WHERE user_id=$user_id");
# looks good, except, the user submitted as the value for user_id: 10 or 1=1
# so we end up with, "DELETE FROM foo WHERE user_id=10 or 1=1
# which in effect, deletes everything, because 1 always equals 1