How does a SQL injection attack occur, and how would you remediate it in a legacy application at Sra Group?