It Is Pretty Much a Bad Idea to Expose Raw SQL…

On the joy of SQL injection attacks: Fun Things I Found Out About Your Company With Administrator Access to your Database [python-url].

Also includes a link to a guide to such attacks, for the uninitiated.