SQL Injection is an attack where an attacker injects malicious SQL queries. To prevent it, use prepared statements. In PHP using PDO:
$user_input = $_POST['input'];
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username");
$stmt->execute(['username' => $user_input]);
