Just for fun...
Last week, a friend of mine sent me a link. He sent me a URL to a restaurant so we could meet there. Thunderbird broke the URL in half for some reason and when I clicked on the link, I received an error page that contained in part this text:
Element RESTAURANT is undefined in URL.
The error occurred in /........../something.cfm: line 7
5 : select SectionName, Words
6 : from restaurants
7 : where Restaurant='#url.Restaurant#'
8 : and Section='#url.Section#'
Interesting I thought... I had some fun with that - discovered that restaurant was not only SQL injectable but HTML injectable as well (they used the text in SQL and in their generated HTML - you can do some interesting things with that)...
If you do not know what SQL Injection is - please read this. And then get rid of string concatention in your code where ever you can!
Just to close on a sadly funny note - (warning, not entirely safe for work language is on this page) check this out