It honestly surprises me how many people still leave themselves open to SQL injection. Parametrisation and the use of QUOTENAME (in SQL Server) make a query infinitely easier to make it avoidable. It really frustrates me when you see someone that's creating dynamic SQL with a statement like:
@SQL = 'SELECT ' + @COL1 + ',' + @COL2 + ' FROM ' + @Table + ' WHERE ' + @Col1 + ' = ' + @Value;
Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.