An Application when ask the user to input and submit the information, It is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection -
$variable = $_POST['user_input'];
mysql_query("INSERT INTO `table` (`column`) VALUES ('$variable ')");
What if user input something like DML statement such as:
INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')