Anyone who inserts user-entered data into an SQL table without checking for and appropriately escaping obvious things like embedded quotation marks is an idiot and should be fired. You just compromised your database: A URL with a query which injects malicious SQL into your query could dump your entire database to the hacker’s browser, as described in the article.

Anyone who echoes user-entered data in the HTML of a document without checking for and appropriately escaping obvious things like embedded HTML tags, quotation marks, etc. is an idiot and should be fired. You just made your users vulnerable to cross-site scripting and phishing: A URL with a query that injects a malicious script into the page could steal the login credentials, session cookies… even run a keylogger / clicklogger on any activities performed on the page.