Developpers..
I was a former developper in a bank, we were coding on sybase, and use of stored procedures was mandatory, dynamic sql forbidden.
When I came to work for the web startup I am still working in, I explained all the benefits of stored procedures ( performance, maintainability, security, .. ) and believed to have converted the team to them.
The first stored proc I saw was like this:
declare procedure getusers(@filter varchar(255))
begin
declare @sql varchar(8000)
set @sql = "select * from users_table where " + @filter
exec(@sql)
end
IMHO sql injection is almost something of the past. XSS is the next challenge..
Developpers, Managers, they do not understand what it is about. They just understand this is a critic of their coding practices and a pretext for delays. When a site is hacked they reject it on the OS, the web server, the ISP, the support team. In their opinion it is definitely not an issue they have to deal with, and I see no reason which will make them change their mind.
Bill, because at its debut at microsoft you should not be managed by someone writing worse code than you.