This article points out a flaw/weakness in some DB servers called SQL Injection. the concept is very similar to CSS (cross-site scripting.) the following code is in ASP/MS SQL but it should make sense across the platforms.
lets say you have a simple HTML form that has a single textbox where the user enters their name. on the server-side you have the following code:
SELECT * FROM Users WHERE Username='" & Request.Form("Username") & "'"
if a person enters Bob into the user name box, the query sent to the SQL server would be:
SELECT * FROM Users WHERE Username='Bob'
that's great and all, but what if the user entered:
Bob' DROP TABLE Users--
this would send the following code to the server:
SELECT * FROM Users WHERE Username='Bob' DROP TABLE Users--'
since MS SQL pretty much ignores whitespace, it's going to execute both commands, the second of which deletes the entire user table. the 2 dashes are SQL comments so the last apostrophe gets ingored and no errors are thrown.