SQL injection. My work place had a typical example:
INSERT INTO users SET fname='$fname', lname='$lname';
Apart from the fact that you're mixing UPDATE syntax with INSERT syntax, substitution is perfectly valid so long as each string has been sanitized in the correct manner for a particular database connection (that is, not addslashes()). For the MySQLi client library, it looks like this:
$fname = $db->escape_string($fname);
$lname = $db->escape_string($lname);
Don't get me wrong; it's bad practice to escape manually unless you're using operator IN on a database client library that supports neither array parameters nor named placeholders (such as MySQLi). But code that correctly uses $db->escape_string() (or the equivalent for other languages or database drivers) should be safe from SQL injection, just as code that correctly uses htmlspecialchars() should be safe from script injection.
With Clonebox, if a customer's web server is hacked or otherwise damaged, we can switch it over to a ~read-only mirror. Sure that protects against hackers, and some customers have been hacked and used the protection. More often, customers simply screw up and delete important files or databases.
But how long do you keep these mirrors around, in case there's a screw-up that goes undiscovered for a while?