Even back in just 2012 I found one of our clients who had an ecommerce site came up with the "genius" idea of solving SQL injection by checking the unparsed URL for an apostrophe. Same self taught developer also decided to log the CC name, number, expiry, and CVV code for all orders instead of just storing the transaction ID from Authorize.net. There were 750,000 rows in that table when I found the SQL injection vuln.