Here’s an attempt at a non programmer explanation.
Companies use a SQL database to store their data. Think of it like an Excel file with multiple tables, storing rows and columns.
You modify the data with written statements, so you’d add a new row of data with a command like add "John" to the users table. Crucially you can chain statements, so you could say add "Sally" to the users table and delete "Pizza" from the menu table
You wouldn’t be writing this command out manually every time. Say you had a website, you’d write the command as add "<USER>" to the users table and then when the website user sends you their username, you replace <USER> with their name.
So the user sends their name, Robert, we replace <USER> with Robert and the command becomes add "Robert" to the users table
But you’re now open to a hack. What if Robert sends his name as
Robert" to the users table and delete the entire users table
You’ve inserted that entire thing into your command, because that sentence will replace the <USER> part of your command. So your full command becomes
add "Robert" to the users table and delete the entire users table" to the users table
This will delete your entire table. The second half of the command doesn’t make sense but it’s too late SQL has already deleted it.
The XKCD joke is somebody actually naming their child to execute the hack
One time I was in Spain and I found 5 Australian dollars on the floor in a train station. I picked it up and pocketed it. The same day, I climbed a bell tower in some museum/remains and was chilling up there for half an hour, without anybody else coming up. Eventually another person came up and said hi. Recognised they were Australian so I asked them if they wanted 5 dollars and they said “…yeah?” And I gave it to them. No explanation.
I laugh sometimes thinking of the story from their perspective, climbing a Spanish bell tower and meeting an English guy at the top who hands them 5AUD, like a NPC in an RPG.