A SQL injection attack against the username field is a common technique that yields massive exposure for little effort. The typical naive backend SQL script will directly substitute a browser field into a SQL "where" clause e.g. select ssn where username = '$username'; You fill in the username field with the value ' or '1' -- which changes the substituted value to select ssn where username where username = '' or '1' -- That yields a wildcard match on all usernames and spews all the ssn fields. The actual values will differ, but that is the gist of a SQL injection attack.
See SQL Injection attack
That is exactly why the process control industry uses so many layers of protection to it’s servers running SQL servers process layer servers.
That and of course Windows OS running on the servers.
Also most of this is edicts sent down from above by boards that have direct ties to Federal Government Security Regs for Process Control. Oh, that is right, that only goes BOOM not someones life savings