Came across this horror in the VB project we inherited:
Public ADD_CONTRACT1 As String = "INSERT INTO Reimb_Contract (ContractCode, Title, Description, CurrentFY, VoucherType, Type) VALUES ('{0}', '{1}', '{2}', {3}, {4}, {5});SELECT scope_identity();"
Public ADD_CONTRACT2 As String = "INSERT INTO Reimb_ContractFYInfo (Contract_ID, FiscalYear_ID, SCID, FromDate, ToDate) VALUES({0}, {1}, '{2}', '{3}', '{4}');"
Public SUM_TOTAL_BUDGET As String = "SELECT sum(TotalBudget) SUM_TotalBudget FROM Reimb_ContractBudgets where year = {0} and contract_id='{1}' AND CashInd ='{2}';"
Public SUM_ORIG_HS_BUDGET As String = "SELECT Sum([OrigHSBudgetAmount]) SUM_OrigHSBudgetAmount FROM [Reimb_ContractBudgets] WHERE year = {0} AND contract_id={1} AND CashInd ='{2}';"
Public SUM_AMEND_HS_BUDGET As String = "SELECT Sum([AmendHSBudgetAmount]) SUM_OrigHSBudgetAmount FROM [Reimb_ContractBudgets] WHERE year = {0} AND contract_id={1} AND CashInd ='{2}';"
Public SUM_CCDBG_BUDGET_AMOUNT As String = "SELECT SUM(CCDBGBudgetAmount) FROM Reimb_BudgetIdentifier AS BI INNER JOIN Reimb_ContractBudgets AS CB ON BI.BudgetIdentifier_ID = CB.BudgetIdentifier_ID where Contract_ID={0} AND Fund_ID = 2 AND CashInd ='{1}' AND Year = {2}"
There are more but jesus that's disgustingly unsafe. I'm horrified. The worst part is the developer clearly knew about sql to use scope_identity() yet not enough to avoid unsafe code like this.