SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, and can therefore embed SQL commands inside these parameters. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through the Web application.
Via security.stackexchange.com
There is a community wiki on StackOverflow which has some answers to the very common question, "How can I protect myself from SQL injection?" If you're question involves PHP and SQL, make sure you have already read this to prevent unnecessary repetition.