HOW TO REPLICATE
Visit a drupal wiki page and in the URL and add a single quote into the URL.

WHAT HAPPENS
User receives an error displaying the SQL statement executed, which contains unescaped information from the command line.

WHAT WAS EXPECTED
For the user to receive the standard page not found error.
Under no circumstance should the URL be passed into SQL without passing rigorous validation checks, and definately not before having been passed through a function such as mysql_escape_string().

Tested with Drupal 4, however I beleive the issue will exist in the current version also. I have not inspected the code as of yet - but this should be trivial to fix... use a regular expression to ensure that the wiki name specified in the URL contains only charachters a-z, A-Z, 0-9 and underscores (plus whatever you consider acceptable).