Well SQL Injections happens when an application has poorly implemented security. It doesn’t come from manipulation or anything like that. SQL Injections are a thing because some people literally throw in a variable into the SQL statements which can be exploited to translate to literal SQL syntax. To really avoid SQL Injections you have to start using prepared statements in either PDO or mysqli. Stop using those regular queries where you throw variables into the SQL statement like this ->query(“SELECT blah, blah FROM blahTable WHERE id = $id”);. Stop doing this. This is how SQL Injections happen.
So user manipulation has really nothing to do with SQL Injections. It happens when developers implement poor security.