What about an SQL injection bug that allows for increased privileges?Um, web programming 101 is that you escape quotes on user-supplied inputs. That ends SQL injection.
Pardon my naivete (I'm fairly new to web/DB programming) . . . is this the current standard method of protection from SQL injection? How does it compare to SQL preparation with bound variables?
Kevin
