SQL injection is a web security vulnerability that allows attackers to interfere with or gain access to a database through a web application. It occurs when user input is not validated for SQL keywords and special characters that could modify the intended SQL queries. Attackers can use SQL injection to read sensitive data from the database, modify database contents, or even execute administrative operations. Proper input validation and output encoding can help prevent SQL injection attacks.