Basically, in this write up, someone found a database throwing raw database errors back to the client. Next, he tested the website for SQL injections by using '1=1', which is a true statement in SQL world and will not generate any errors. They also found the site was serving a trojan. JOY!
I never understood why anyone would not, at a minimum sanitize their inputs or require the use of stored procedures for anything coming off the web. At the very least trap database errors and not return it to the client.
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP