In "Who's on first?", Abbott names the players on a baseball team for Costello, but their names confuse Costello because they are also English words that could be part of his questions or Abbott's answers.
For example, the player on first base is "Who", then when asking "Who's on first" it could mean either "Is the person on first base named Who?" or "What is the name of the person in first base?".
A SQL Injection works by introducing a term in a statement that changes its meaning for the reader from what the writer actually meant.