This form of SQL injection occurs when user input is not filtered for escape characters and is then passed into an SQL statement. This results in the potential manipulation of the statements performed on the database by the end user of the application.
The following line of code illustrates this vulnerability:
statement = "SELECT * FROM users WHERE name = '" + userName + "';"
Sql injection:
a' or 't'='t
SELECT * FROM users WHERE name = 'a' OR 't'='t';
for more :http://en.wikipedia.org/wiki/SQL_injection
