SQL injection involves inserting malicious SQL statements into an application's input fields to manipulate the database and gain unauthorized access to data.