Bobby Tables
This kind of exploit is sickeningly easy to avoid, yet crops with depressing regularity.
PHP, for example, has several mechanisms to avoid SQL injection (use of the DBMS parameterized/prepared statement mechanisms, input validation and filtering), yet the amount of times I see people asking questions on Stack Overflow where the've obviously followed a tutorial from the PHP 4 days and written stuff like the following just makes me want to quit web development and take up mushroom farming instead.
mysql_query ('INSERT INTO TABLE (column) VALUES (' . $_GET ['field'] . ')');
Doesn't anyone read XKCD?
http://xkcd.com/327/