For 25 years now, it's been mind-blowing to know that a significant number of orgs (and their developers) won't take the time to sanitize RDBMS queries by using stored procedures or readily available tools/code for parameterization.
It's one of those tech 'problems' that never goes away. 馃檨