SQL Injection happens when keywords/characters specific to the database requests are injected via user input. The best example to explain about SQL injection would be the search text box in a web application. We know that some of the characters in SQL query are used for special purposes. Say for example the “%” in a query that uses like keyword matches anything. Suppose if I give a search text as “Hello %” and click on search the application that does not avoid SQL injection might bring results that has “Hello” followed by anything. What I might really want is to bring results that actually contain “Hello %”. The search example was a simple scenario; think about critical applications like banking applications. If the input is not scrutinized for SQL injection the result could be catastrophic. Few languages provide built in functions to escape SQL injection before an input from user is passed with the query. Refer Vlado’s blog on SQL Injection for good reference links.