If there ever was a glaring example of how not to write Web application code, then the Oklahoma Department of Corrections Web site is it.
Not only did the site process unsanitized user input, they also put SQL queries in clickable GET request links! As a result, all sorts of data was available - not to mention the likelihood of changing data stored in the site's database. And this wasn't just any old database. It was a database of sex offenders, which you can imagine presents a gigantic problem and liability for the state government.
Head over to The Daily WTF to read their exposé.