This question already has an answer here:
//database connection
include ("inc/db.php");
// select record from mysql
$sql="SELECT c.conference_id, concat(s.firstName,' ',s.lastName) as
Student, concat(ta.firstName,' ',ta.lastName) as Teacher, ta.title, sc.schoolName,
sc.logo, sc.phone, sc.fax, sc.css, sc.studentHours,
concat(ts.month,'/',ts.day,'/',ts.year) as Date, ts.startTime,
ts.endTime, ta.room, p.parent_id
FROM conference c,
student s,
teacherAdmin ta,
school sc,
timeslots ts,
parent p
WHERE c.conference_id = ts.conference_id
and ta.teacherAdmin_id = ts.teacherAdmin_id
and p.parent_id = c.parent_id
and s.student_id = c.student_id
and sc.school_id = ta.school_id
and s.student_id = '".$student_id."'
and c.parent_id = '".$parent_id."'
GROUP BY conference_id";
$result = $conn->query($sql);
?>
</div>
Yes, this sql is ready for injection. If it $student_id will be value "0 OR 1=1; --", it will dump all your table.