Do you remember the day the forum turned pink? What happened in that case was that someone (sorry, forgot his username) figured out how to put some code inside his forum post. Your browser doesn't (and, realistically speaking,
can't) know that's not supposed to happen so it will happily execute that code.
In that case, the included code was only used to override page layout, but the same technique could be used to do actually malicious stuff (redirecting you to another page, stealing cookies, infecting your browser with malware, ..., the list goes on).
The point about computer security is that problems are almost always caused by bugs. Most (regular) bug will be discovered at some point and then fixed; so far so good.
But when it comes to security-related issues, it's often a bug which is extremely unlikely to ever occur by accident (meaning nobody ever notices it, nobody ever reports it and hence, it never gets fixed). For instance, I bet you've misspelled your username a couple times when trying to enter it, right? But have you ever made the following "typo" on a "username" field?
Robert'); DROP TABLE Students; --
Probably not right? And if you change anything at all in there (leave out the apostrophe, closing parenthesis and/or semicolon after "Robert", replace "TABLE" by "GRID" or leave out one of the two dashes at the end), nothing bad happens, you'll just get an error.
However, entering
exactly that will delete all of the data from the database table called "Students" (and no, unless you have a backup you can't simply hit "undo" to get it back). With normal bugs, you're fighting against back luck, with security bugs, you're fighting against a (potentially highly skilled) human opponent, willing to spend a lot of time and effort on triggering (and then exploiting) a bug.
[Well, on any properly designed site it will cause an error (and quite probably an alert to the administrator / network security department), but on a site put together by someone who doesn't know about proper security, it is remarkably likely the database will happily remove the table.]
WARNING: Actually entering that "name" above on any site which is not your own is (an attempt at) cracking that site and illegal in at least the USA and the Netherlands (and most probably a lot of other countries as well, I just don't know for sure about any others), so I
strongly suggest you don't; this is just for explanatory purposes. If you want to know
why it works (and why it looks so weird), simply Google "SQL injection". (If you want to know why I used "Robert" as a username, Google "Bobby Tables" and find an awesome webcomic! :p )