People assume that to bypass a login you have to attack the login form. That is not the case. Sanddbox, the poster above, says that SQL injection is unlikely. In the login form itself, he would be correct, but in the rest of the site it is quite likely that there will be security flaws.
A flaw in a comments script, for example, may be used to access any table in a database. You send input to the site in a number of ways, more ways that you would think.
The most obvious input is that which you send in the URL.
Next would be form data, but this can come in two types. Text fields can be manipulated as you like, but it is often overlooked that other fields - such as radio buttons and check-boxes can also be manipulated. Hidden fields too can be manipulated. At the end of the day, it may not be a web browser that is submitting that data.
Cookies are another way input is sent to the server.
User agents and referers - two things that may be stored in a database to record visitor stats - are another form of input.
It is also important to remember the outputs. The most obvious is your screen as a dynamically generated website, but others include a file on the server and a server log (injecting PHP code into a webserver log is often used in LFI attacks). Databases are another final destination of your input.