Originally Posted by
Tradewind
the ars technica article probably has as much info as is going to be detailed this far in. As for what was affected, it's most likely just websites. SQLI is just appending SQL commands to an input or querystring that gets interpreted by the script on the website. So if you have a crappy search form that gets shot into a SQL query without any kind of escaping or cleansing (ie. "SELECT * FROM `blahblah` WHERE whatever='&$_POST['searchinput']&';") It's incredibly easy for someone to just type into that search form "blah';DROP TABLE `blahblah`;" and it would execute the entire input, deleting the table 'blahblah' in the process.
It just boils down to poor protection measures and poor scripting. It's such an easy thing to avoid really, PHP has functions built in to cleanse and escape variables and the lot (mysqli_real_escape_string() or addslashes()) and using prepared statements (ie. bind_param()) and such for entries/updates does it all for you too.