It is a malicious act done thru injecting sql commands to input fields supplied to user(s). But this attack can be catch thru escaping user inputs before passing to actual query in the database.