Looking for code inclusions?
The versatile google cluster has a solution for this, like for many other tasks.
lets You find various places where some variable from the superglobal $_REQUEST is printed with echo. By the same means, you can easily find places where such a variable is directly included in an SQL query, for instance with
This alone yields 50 results for each query, but it may be varied with printf() instead of echo() or just leaving out the () with echo. Further, there are some more superglobals, most important $_GET and $_POST.
If that’s not enough, there are some more code search engines, like Krugle or Koders. Even though the llatter does not allow queries like the above, even there inclusions can be found between examples of how to prevent such security flaws.
Looking at the sites of the search hits yields quite a bunch of well-known projects/sites, so this is not just gray theory.