You're conducting a security assessment for a travel company that has released a mobile app allowing users to book flights and access boarding passes. The app utilizes QR codes for boarding pass verification. You notice that when users generate QR codes, the app creates them with embedded SQL commands that are passed directly to the backend database for validation. What mobile attack vector is most likely being implemented here?