To get started, SQL is essentially using website Queries to run commands within a website, and requires the website to be run by someone incompetent. You'll need two things:
1: An incompetent website with PHP vulnerability
2: Some basic knowledge of coding, any language is fine (except batch, because seriously?)
Start by writing the PHP to check if email exists, and if it does exist write it to a variable. Use an if check in order to determine whether the user actually exists or not. This step is where most websites begin to become suspicious, too many submissions from the same IP can get you locked out, though there are ways around it.
Then you can write the valid emails to a list, preferably compatible with something like Medusa or John the Ripper. Unless you enjoy manually checking emails for days on end
In order to simply cause damage, use '; DROP TABLE (Name of table to remove); --
What this does is essentially runs the initial check, then once it completes the check it deletes the table listed.
Kepp in mind these are extremely outdated, and anyone with a shred of PHP knowledge would be able to prevent this from happening so don't expect much. But it's still a fun way to mess with a friends forum or such.