>> What about an SQL injection bug that allows for increased privileges?
>
> Um, web programming 101 is that you escape quotes on user-supplied
> inputs. That ends SQL injection.
Pardon my naivete (I'm fairly new to web/DB programming) . . . is this
the current standard method of protection from SQL injection? How does
it compare to SQL preparation with bound variables?
Kevin