How does a SQL injection vulnerability occur at the database level, and what are the most effective ways to remediate it at Xero?