diff --git a/_posts/06-01-01-Databases.md b/_posts/06-01-01-Databases.md
index 15f3df4..ad51706 100644
--- a/_posts/06-01-01-Databases.md
+++ b/_posts/06-01-01-Databases.md
@@ -36,8 +36,10 @@ $pdo = new PDO('sqlite:users.db');
 $pdo->query("SELECT name FROM users WHERE id = " . $_GET['id']); // <-- NO!
 {% endhighlight %}
 
-This is terrible code. You are inserting a raw query parameter into a SQL query. This will get you hacked in a heartbeat. Instead,
-you should sanitize the ID input using PDO bound parameters.
+This is terrible code. You are inserting a raw query parameter into a SQL query. This will get you hacked in a
+heartbeat. Just imagine if a hacker passes in an inventive `id` parameter by calling a URL like
+`http://domain.com/?id=1%3BDELETE+FROM+users`.  This will set the `$id` variable to `id=1;DELETE FROM users`
+which will delete all of your users! Instead, you should sanitize the ID input using PDO bound parameters.
 
 {% highlight php %}
 <?php