This is the best anti-pattern about security and SQL Injection on the web. Today I found, via <edit>, html.it blog, a CMS that use a "creative" approach to get data from the DB: passing the SQL string directly as querystring to the page. Here is an example:
And if you search on Google for "allinurl:sql select from where", you will find heaps of pages that use this approach (tonight the results were 111.000). I found sites built in ASP Classic, PHP, cgi, Perl, seems quite a widespread technique.
What if someone writes DROP TABLE NEWS instead of SELECT ...?