Comment by gruez

Presumably he's talking about code like this:

   $cursor.execute("SELECT * FROM users WHERE username = '$username' AND hash = MD5('password')")

Allowing any value would allow for SQL injections, so the programmer does the lazy thing and "sanitize" the inputs ($username/$password) with a roll-your-own "sanitizing" function that throws an error if there are "evil" characters.