PHP ile ve DB gibi ben MySQL kullanabilirsiniz. Burada komut kendisidir.

$unsafe_variable = $_GET["user-input"];
$sql=sprintf("INSERT INTO table (column) VALUES('%s')",$unsafe_variable);
mysql_query($sql);

Some people say that if user assigns ;DROP TABLE blah; string to the variable $unsafe_variable it deletes the table.
But I tried this example - http://localhost/test.php?user-input=DROP%20TABLE%20my_table and it didn't delete the table but instead inserted a new row (;DROP TABLE blah;) in the table.
Could anybody explain me how it is possible to attack this script with sql injections?
Thanks a lot.