SQL injection involves inserting malicious SQL statements into web application entry fields like URLs, cookies, or forms. By exploiting vulnerabilities in how an app sanitizes special characters, an attacker can alter SQL queries executed by the app to bypass authentication, access sensitive data, or take control of the underlying database. Common techniques include terminating queries with "--" and exploiting true/false conditions to return data without valid credentials. SQL injection has been a top vulnerability for many years due to how commonly databases are used yet insecurely coded into applications.