In the realm of the daily WTF, this SQL doozy popped up earlier in the year: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data
SQL queries were part of the URLs, so anybody could see which tables/cols were present, and modify at will to extract lots of privileged data including social security numbers. I particularly cried around the bit where the developers, after being informed of the problem, merely changed the social security number column name to start with caps, while leaving the whole “SQL in URL” thing in place. They only actually took the thing off-line “for routine maintenance” after it was then proven that the developers’ own personal information was also retrievable. Apparently it had to have such a personal connection to “hit home”.