if, instead of your code, they put... "'; TRUNCATE codes; SELECT * FROM codes where code = '"...
and you stick it into your script like:
$query = "SELECT * FROM codes WHERE code = '".$_GET['code']."'";
your actual query string becomes...
SELECT * FROM codes WHERE code = ''; TRUNCATE codes; SELECT * FROM codes where code = ''
and then your data go boom.
You never, ever, use variables the user could POSSIBLY TOUCH without sanitizing them, preferably also using prepared statements in your database implementation.