SQL injection is a tactic used in attacking a database or a server via its front-end (e.g. website). Through putting parts of SQL statements in an entry field of the website, hackers can try and get the site to run the newly-created malicious command to the database itself, for instance, dumping its contents to a remote server under the control of the attacker.
This type of attack takes advantage of logical or structural loopholes in the source code through issuing a wrong or unexpected user input, resulting in a messed up execution. The ‘injection’ of code is to exploit a vulnerability of a website or a software. For example, SQL commands to alter or harvest information on the database would be put on the web entry form and run on the database.