The app in this demo is the task management system from your assignment. A manager types a name into a search box to see someone's tasks. Normal inputs like Alice Jensen work perfectly.
But the backend builds the SQL query by concatenating the input directly into a string. This means an attacker doesn't need an account, doesn't need to know the schema, and doesn't need any special tools — just a text box and some knowledge of SQL syntax.
SQL injection has been in the OWASP Top 10 most critical web vulnerabilities for over 20 years. It is responsible for some of the largest data breaches in history — not because it is sophisticated, but because it is easy to overlook when everything works fine in testing.