You should always sanitize the param that will be supplied into your SQL statement.
You may use PHP preg_replace to sanitize it.In addition, you may use RemoveXss global function to remove XSS attack from your param.
function UpdateModuleName($moduleID){
$param_moduleID = RemoveXss($moduleID); // remove the XSS if any; just in case
$param_moduleID = preg_replace('/[^a-zA-Z0-9]/', '', $param_moduleID); // only allow a-z, A-Z, 0-9 characters
return ExecuteScalar("SELECT Module FROM Updates_Modules WHERE id='".$param_moduleID."'");
}