An SQL injection attack is a method used against a database to either obtain otherwise confidential information or to modify the contents of the database. The SQL injection attack is used when there is a web page that allows users to enter information that will be added to the database or used to query the database. The webpage with the HTML form on it is vulnerable to the SQL injection attack if the programmer of the web site did not check the entered data and prevent quotes and other special characters from being sent to their SQL query string.
Usually the attacker will put some data into the form including single or double quote. The attacker may place a semi-colon after the quote, then place some SQL query command after the semi-colon. The attacker tries to get the database to run the injected SQL command. If the attacker is able to run injected SQL commands, they may try to list tables in the database, then list fields. Once they understand the tables and fields in the database, they can read the contents of the database and even modify it where they want.