Client-side input validation is inherently unsafe, because requests can easily be forged. The lack of server-side checks and query formatting allows for SQL injection attacks.
https://www.w3schools.com/sql/sql_syntax.asp
The quote character (' or ") ends a string. Unexpected quote marks in SQL statements results in exploits.
See Let’s Talk! README.md#Vulnerabilities for examples.