good comments and a great article. One other thing that I think should be mentioned first is that the user account should not be SA, but rather a limited rights account. To me that's the first step before attempting to limit injection attacks.