Robert J
It's when a badly coded site allows user input text or data to be passed directly in to an SQL query, without being checked for malicious character formatting.
That can add commands to the intended SQL query, doing such as returning all table entries rather than just trying to match a username, for example.
The protection is to always put all user input through proper filtering so no SQL special characters are passed without being "escaped" so they are not interpreted.
And/or use "prepared" statements with mysql, so data and commands are kept isolated.
Don't forget to salt and hash passwords - never store them as entered!
David K
you didn't specify the technology for your website so details can't be provided. I suggest you do a web search for sql injection and review the many sites that pop up to see which applies to your concerns.