Usually because the password database is able to be compromised by some code injection bug (e.g. SQLi). In order to prevent this you should be using a library the makes it impossible to mix code and input data like that.