What happens if a SQL query is sent as a parameter?

My advice is: use parameters and you’re safe.

Also, remember to validate user input, because failing to do so can lead to messing-up your data with almost anything people will insert.

To improve security even more you’ll need to use account with least permissions.

Here is a good article on this topic.