SQL injection vulnerabilities occur when developers incorrectly process user input, allowing attackers to sneak their own database commands into a web app.