A security attack where someone sneaks extra SQL commands into your query by typing them into a form field. Using an ORM with parameterized queries protects you from this automatically.