SQL injection attacks occur when malicious SQL statements are injected into an application's existing SQL commands, potentially allowing attackers to alter or destroy database contents. Attackers can exploit vulnerabilities like unvalidated user input or direct use of dynamic SQL queries. To prevent this, developers should follow practices like input validation, parameterizing queries, and limiting database account privileges to only what is necessary.