SQL Injection is a code injection technique, which exploits a security vulnerability occurring in the database layer of a web application. The vulnerability is present when user input is incorrectly filtered for special characters embedded in a SQL statement and thereby unexpectedly executed, i.e. the input was injected into the SQL statement issued by the web application.
Attackers may be able to extract sensitive information, use the database server as a pivoting point to attack other servers or cause Denial of Service (DoS) by destroying the database itself.
Sanitize all user-supplied data before it is used as part of any database queries issued by the web application. Most web development platforms provide a mechanism known as parameterized/prepared statements, which is considered a safer option when interfering with the database layer.