Most of these attacks do not require SQL injection. SQL injection is used to modify the intended update query (say of a blog posting form such as this) to make it do something else - for example produce a list of usernames and passwords or delete database records.

The attacks referred to in this article simply post hyperlinks or javascript redirect code to a site via a legitimate form without doing any query modification. This can happen on many sites that do not validate and sanitise user posted data. Nowt at all to do with SQL injection.