An SQL injection is when the input is crafted to to where the user can manipulate the database to do something unintended.
Given a user and password storage, a query may look something like:
SELECT * FROM users WHERE password = var1 AND username = var2
"SELECT * FROM users WHERE password = " + var1 + " AND username =" + var2
A user can given malicious inputs to this in order to manipulate the intended purpose of it:
username: hacker' OR 'A'='A
password: password' OR 1+2='3
would bypass all filters here, then log in as the first user!
Because of the above statement, filtering has been done to avoid this.
This led to taking out all malicious characters, such as ', " and other potentially breaking characters.
Avoid this filter
But, this filter can be avoided! There are functions in SQL that can be executed.
The interesting one here is CHAR, which can turn an ASCII code, into a character.
Now, the username:
hacker' OR 'A'='A is equivalent to
hacker CHAR(39) OR CHAR(39)ACHAR(39)=CHAR(39)A
The only differene is that the second one would avoid all filters for the ' character.
There are so many other ways to bypass SQL code with functions; just have to understand the language, database version/software and be creative!