If a database query (such as a SQL or NoSQL query) is built from user-provided data without sufficient sanitization, a user may be able to run malicious database queries.

Most database connector libraries offer a way of safely embedding untrusted data into a query by means of query parameters or prepared statements.

In the following snippet, from an example django app, a name is stored in the database using two different queries.

In the first case, the query string is built by directly using string formatting from a user-supplied request attribute. The parameter may include quote characters, so this code is vulnerable to a SQL injection attack.

In the second case, the user-supplied request attribute is passed to the database using query parameters.

Wikipedia: SQL injection.

OWASP: SQL Injection Prevention Cheat Sheet.