Well, I needed to get some business cards off to print. On the advice of a well respected graphic designer I know, he recommended a print company to me.

I went on to their website, filled in the details and attached the psd's, and when pressed submit I got an error... Well, from this error, I deduced the site would be quite vulnerable to an SQL injection attack. I was tempted to just drop the database, it would be their own fault for using a cheap web dev studio to build it. But sure their host would have a backup and the site would be back up within an hour.

So... I decided I'd try to get free business cards out of it. I sent them an email, telling them that they were vulnerable, that I would like to get cards printed and would a sales rep contact me personally because I don't trust their website. I heard nothing for three days and then the graphic designer that I know contacted them about it. They said it was fixed and they wouldn't print my cards for free! I didn't even get an email saying thanks.

Well, that left me fuming, so I fucked around with the site and... I found another section vulnerable to SQL injection attack. This time, I think that I'll copy all their client list and sell it to competitors. Then get every customers billing information and email each customer their own billing information along with where I got it from. Those two actions would destroy the company. D'ya think that response from me is overkill or justified. All I want are free fucking business cards!

Ah, absolute power... Well, I would put your situation like this. The original reason for going to that site was to conduct business. I'm sure on some level you expected to pay for that service, knowing or not knowing the price. Negotiating for free business cards is a good idea and all, but the moral of the story is intent and reason. The original purpose is buying business cards. Stealing clients and committing crime(s) is hardly justified.

Go for it stone. After selling the info there properly will be enough to buy heaps of cards lol.

I wouldn't say that response is justified per se, however, I wouldn't admonish you for doing it. It is the company's fault for not properly securing their website, however Odin is right in pointing our your original intent. Although... thinking about it, your idea can be construed (its a stretch) as being good, in that if someone else were to discover the website's weakness and instead of selling the client info to other businesses used it for Identity theft purposes, then you would be doing the company's clients a favor (like I said, its a stretch...) by selling theyre info to other company's that do have proper security systems in place- you'd also be doing yourself a favor ($$$). I would just say that if you do indeed decide to do it, make sure that the company can't trace it back to you (perhaps buy business cards from them anyway, and then do it afterwards?).
sidenote- if it were me in your situation I would definately do it, but I dont want to tell you to go ahead and do something illegal- its your choice.

Informing the customers of the fact that their sensitive information is vulnerable to a simple SQL injection is not only acceptable, it is what a good person would do. If you see your neighbor leave his house with the front door, open, would you not try to tell him or close it for him?

As for disclosing the information to other companies, that is a shitastic idea, that would make you no better than the spammers and phishers.

After i went inside and had a peek about.