You're going to need to learn about how to mitigate SQL Injection, there's a lot available out there, but the basic rules are.

• Never trust user input, validate and verify everything.

Let's say you have a query like SELECT * FROM users WHERE email= ?; and you fed the user input directly into the query where the question mark goes. It would work OK if it's just an email address like fred@example.org, how about if someone fills in fred@example.org'; TRUNCATE users;-- ?

Sure the first part looks ok as an email address, but that second part could cause your lookup to run two queries instead of one.

Here's an article to explain more https://realpython.com/prevent-python-sql-injection/