you'll notice in the code sample i provided i threw in a quesion mark. that is a place holder, a way of ensuring proper quoting with DBI. I'm not sure how PHP implements this. if someone were to spoof their REMOTE_USER string to report bill' OR 'cracked'='cracked
you suddenly have a breach where all the data in that table is pulled in.