Seems like Charles' list touches a chord.

I too am surprised at how common SQL injection vulnerabilities (still) are. Having recently implemented an EDRMS system, our supplier provided a small addin to integrate with another system. I knew they would be taking values from a form to query a database and my first test was for SQL injection - I don't need to tell you it failed. They fixed it straight away, but these are supposedly professional developers, who do this sort of work for a living. Such tests should be part of any good QA regime and never make it off the factory floor.