Ugh, this rings far too true at present. The company I work for currently uses third-party software, and after examining the system, I've found that its search procedures are all very SQL-injectable by running some test injections against it. Worse yet, the search procedures aren't stored procedures, they're just SQL strings concatenated together in the ASP.NET front-end.

Not sure if I can rewrite these monstrosities without breaking the service agreement with the third-party company, and they've said they don't intend to fix the vulnerability. If I had a say in it, the whole software company would be "fired" from our usage, and their program replaced :w00t: