$szUser is submitted data ($szUser = $_POST['user'];). Just because you're using a SELECT here doesn't mean that a nasty user couldn't inject other code to UPDATE/DELETE/whatever.

From looking at your original post, it doesn't look like you're escaping any of the POSTed data. The validation class might help a bit (I don't know, we can't see what it does) but you should always, always use the escaping functions for all input data.