Let's talk about it a little.
The concept is simple. Your code allows someone to place additional SQL commands in it. That "injected" code enables data access and/or system hacking (depending on the security in place).
Simply put:
Parameterize the query
Escape the input
Have proper security in place
Use correct data types
In a nutshell. There's a ton more details, but that covers the basics.
Want to get really angry? Read how some developers and admins are exposing children's data through #sqli
theverge.com/2019/4/27/1851…
or your college data: campustechnology.com/articles/2019/…
The problems are deep and wide. Too many new developers without knowledge. Lack of institutional understanding of the problem. Speed of delivery over quality of delivery.
Those are just a few.
Hello World examples.
We don't do a good enough job building example code. I say this as someone who is guilty of bad example code (hi @Hugo_Kornelis )
There, it's not sophisticated hackers that look like this: