SQL injection is a security vulnerability that occurs in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.
This results in the potential manipulation of the statements performed on the database by the end user of the application.
Say you have an SQL for retrieving user information as below
SELECT * FROM users WHERE name = '" + userName + "';"
Now instead of userName being a valid one it comes up as something like
a';DROP TABLE users;
then the SQL becomes
SELECT * FROM users WHERE name = 'a';DROP TABLE users;
This will delete the users table on the MySQL database.