SQL injection is a code injection technique that exploits security vulnerabilities in web applications. It works by inserting malicious SQL statements into entry fields for execution by the backend database, allowing an attacker to retrieve hidden data, subvert application login, retrieve data from other database tables, and examine the database structure. SQL injection vulnerabilities occur when user input is not sanitized and is used to construct SQL queries through string concatenation. The impact can include unauthorized access to sensitive data and damage to the application's reputation. Proper use of parameterized queries can prevent SQL injection by separating user input from the SQL query structure.