>>Your current code is a prime target for SQL injection attacks. Concatinating strings to build a SQL statement from anything coming from a user-input fields is a big no-no. Use SQL parameters for that kind of thing.
>>
>
>After speaking with my colleague looks like I have to abandon this idea for now. It's too complicated to change.
http://xkcd.com/327/