Re: SQL Injection!!!
The reason I thought it had to be really clever was because I just couldn't imagine that anybody would be stupid enough to take user entered data and make it part of a command that is sent to the server in textual form.
When you put it like that it sounds obvious and it's the kind of thing you would do automatically when programming in a mature, compiled language - validate and convert to internal form on input and do whatever conversions are necessary on output. However is gets a lot less clear with a lot of the web languages, which invariably seem to be designed to make it easy to cobble something together rather than aid solid, dependable coding. For example, user input is stashed in variables before your script even runs, variables are dynamically typed and you often need the same data in multiple formats. It is often less than clear what is potentially troublesome.
That alters the vulnerable area from something small and well-defined to something much larger and raggedy. Simple mantras such as "quote all strings, job done" don't cover all the bases. Other quantities such as integers may well need handling differently, however in a dynamically typed language what you just know is an int may well in fact be a crafted string unless safeguards are put in place to guard against that.
So the mantra becomes "quote all strings, half the job done". You've still got a lot of work to do the find and weed out the rest of the vulnerabilities. All of a sudden doing the job properly doesn't look quite so trivial.