SELECT * FROM users WHERE username='$user' AND password='$pass'

If $user = "admin" and $pass = "blah" the SQL statement would look like this:

SELECT * FROM users WHERE username='admin' AND password='blah'

Thats all very nice, but remember the user inputs the username and password. Conside this code:

$user = $_POST['user'];
$pass = $_POST['pass'];

$query = "SELECT * FROM users WHERE username='$user' AND password='$pass'";
$result = mysql_query($query);

if (mysql_num_rows($result) == 1) {
echo "You now have admin access!";
}

Now if the user enters "admin" and password = "' OR 'a'='b" look what the code looks like now:

$user = "admin"
$pass = "' OR 'a'='b";

$query = "SELECT * FROM users WHERE username='$user' AND password='$pass'";
$result = mysql_query($query);

if (mysql_num_rows($result) == 1) {
echo "You now have admin access!";
}

If you were to echo the $query you would see:

$query = "SELECT * FROM users WHERE username='admin' AND password='' OR 'a'='b'";

And that would be a valid statement, thus giving us admin access!

Now if you replace the $user and $pass with this:

$user = addslashes($_POST['user']);
$pass = addslashes($_POST['pass']);

Our SQL statement would look like this:

$query = "SELECT * FROM users WHERE username='admin' AND password='\' OR \'a\'=\'b'";

And it would not be valid!

Remember you only need to addslashes if magic_quotes are disabled.

Enjoy :-)