SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
SQL injection exploits a type of computer security vulnerability found in applications with SQL databases. It enables attackers to apply malicious SQL commands to the database via user input. It can for example extract, alter or delete sensitive data.
The vulnerability is present when user input is used directly in the SQL commands, instead of as parameters or properly filtered (also known as "sanitized", e.g. by quoting escape characters). It happens primarily because of poorly written SQL handling functions in client applications.
See famous example - Bobby Tables incident and the community wiki question's answer How can I prevent SQL injection in PHP?
Useful Links