something like the following in a file somewhere in your root dir could be a good example.
require_once(__DIR__ . '/config.php');
$username = $_GET['username'];
$record = $DB->get_record_sql("SELECT firstname from {user} where username = $username");
echo $record->firstname;
From that example you can then cover:
1) Authenticate the user (require_login)
2) Authorise the user (require_capability/check if this user should be able to view the passed user id.)
3) Sanitise input use optional param - I'd probably start by showing them how PARAM_TEXT might help but then how you can still attack that sql query with PARAM_TEXT -
4) Parameterise database vars - using Moodle API db functions and never injecting vars into inline sql.
you can also talk about how to use the original script to get Moodle to output different values instead of the user-fullname.
Of course - if you run this in a live scenario on a single box that everyone can access, be prepared for the first student to completely break the site - preventing your other students from being able to do much.
Then you could create other scripts that provide examples for other issues - csrf/xss etc etc..