SQL Injection Attacks

This appeared to be an entirely custom application, and we had no prior knowledge of the application nor access to the source code: this was a "blind" attack. A bit of poking showed that this server ran Microsoft's IIS 6 along with ASP.NET, and this suggested that the database was Microsoft's SQL server: we believe that these techniques can apply to nearly any web application backed by any SQL server.
The login page had a traditional username-and-password form, but also an email-me-my-password link; the latter proved to be the downfall of the whole system.
When entering an email address, the system presumably looked in the user database for that email address, and mailed something to that address. Since my email address is not found, it wasn't going to send me anything.
So the first test in any SQL-ish form is to enter a single quote as part of the data: the intention is to see if they construct an SQL string literally without sanitizing. When submitting the form with a quote in the email address, we get a 500 error (server failure), and this suggests that the "broken" input is actually being parsed literally. Bingo.
We speculate that the underlying SQL code looks something like this:
SELECT fieldlist
  FROM table
 WHERE field = '$EMAIL';

PHP operators are characters

Artithmetic Operators

OperatorDescription
+Addition
-Subtraction
*Multiplication
/Division
%Modulus (remainder of a division)
++Increment
--Decrement

Assignment Operator

OperatorDescription
=Assign
+=Increments, then assigns
+=Decrements, then assigns
*=Multiplies, then assigns
+=Increments, then assigns
/=Divides, then assigns
%=Modulus, then assigns

Comparison Operators

OperatorDescription
==Is equal to
!=Is not equal to
>Greater than
>=Greater than or equal to
<Less than
<=Less than or equal to

Logical Operators

OperatorDescription
&&And operator. Performs a logical conjunction on two expressions (if both expressions evaluate to True, result is True. If either expression evaluates to False, result is False)
||Or operator. Performs a logical disjunction on two expressions (if either or both expressions evaluate to True, result is True).
!Not operator. Performs logical negation on an expression.

Concatenation Operators

OperatorDescription
.Concatenate (join two strings together)