Comment Re:How is SQL involved? (Score 2, Informative) 186
On the server end there is a SQL injection exploit being used to get the malicious code out there.
My point being that you don't need to do a SQL injection to do this.
To prevent a SQL injection, you need to change ' to '' on input from the user that you pass to sql.
To prevent a HTML+script injection, you need to change < to <, > to > & to & etc. on input from the user that render to the browser. The sites in question are not doing this, hence, just stick the code you wish to inject into at comment or some other user field. This has nothing to do with SQL.