This is really simple. Many will try to nullify SQL injection using the php addslahes() function. However, this is easily bypassed using an invalid multi-byte character. Let me illustrate how this works:
Entering the hex value: 0xbf27 (invalid)
MySQL will mutate it into something valid: 0xbf5c27
when looking at this mutated result in ascii, it looks like: ¿\’
The issue exists at the hex level. the 0xbf5c is read as a single character, leaving the 0×27 by itself. That means that although there is a preceding slash, it is not registering it as such, and leaves the inverted comma unescaped, and successfully injected past addslahes().
Read more in detail here: