When I find insecure sites, I go into their admin panel and take a screenshot. I promptly email them showing them of this hole and offer my services to secure it.

Rendair, for your sql cleaning method, mysql_real_escape_string is all thats needed.