With regard to SQL injection, it's almost a given fact that any application will make use of queries against the database storage. Obviously, for any hacker, that presents an opportunity to utilize the queries for what they were not intended to do. They can do this by modifying the query for their intended purpose.

If you concatenate strings to make SQL statements and/or otherwise use dynamic SQL, this presents a particularly risky environment that can be exploited with SQL injection.