>>A SQL Injection attack is when a piece of SQL is injected into any SQL sent to a database server. It is not limited to the web.
>
>yep that's true, but i dont think that'd be a big concern on her home computer.
>Is her home computer even networked to anything?
>
>The unfortunate thing here is forgetting about nitpicky security issues on a home computer...
>its two weeks later and so far the closest thing to a "solution" is what i've offered....
>if you have a better solution that'd be cool...

Irrelevant. She has code working. You offered no solution. The parameterization is the correct technique.