Inserting or 'injecting' a SQL query via input data from the client into the application. If successful, the exploit can read sensitive data from the database, or perhaps modify the data or perform administrative actions.