When the program create SQL statement with some input, an sql injection attack can modify the SQL behavior by injecting (ie modify it) a piece of SQL in the input.
Below is an example of a SQL statement build with the help of an input.
"SELECT * FROM clients WHERE clientId = " + inputClientId;
if an attack gives as inputClientId, the value 10 or 1=1, the resulting SQL would be
SELECT * FROM clients WHERE clientId = 10 or 1=1;
which returns all clients.
To prevent SQL injection, you pass the input as parameters to the SQL. More … See SQL - Parameter (Bind | Substitution) (Marker | Variable)