A few things I remember.
Nobody sanitised their inputs.
You could get through logins by making a database query check whether 1 = 1 instead of a password. You could put JavaScript into guest book fields to redirect people to whatever crazy site you wanted.
My university lecturer told me about a well known supermarket that built a shop front. They made it in such a way that you could change the numbers before they were submitted and it wasn’t validated on the back end. So free food.
Cutlery with a circular handle have the worst feels