# Text-field input is again stored in a variable
u_name = value(text_field: 'username')
# The nature of the request determines an appropriate query plan
sql_query = "SELECT * FROM users WHERE username = ?"
# Now we plug in parameters to a query method
# Only the SELECT function will be executed using this method, as u_name will be inserted wholly into the ? parameter.
sql_query = SELECT * FROM users WHERE username = ' or '1'='1
# Which makes no sense, and the db either throws an error or does what is expected, returns nothing