On-the-fly SQL query creation

["Calderon, Juan Carlos (GE Commercial Finance, NonGE)" <juan.calderon () ge com>]

Sql Injection, Access to OS though DB stored procedures/functions, data modification/lost, low performance.

> From critical security issues through performance problems and finally a bad programming practice, all this can be 
> on-the-fly SQL query creation.

Currently, I'm working in a little paper about this, and I'd like to hear your experiences in Pentesting, Vulnerability 
Assessment, or simply code you have at hand related to this "bad programming" practice.

It has many implications, this is, you may thing that if you use PreparedStatements for Java (other similar for other 
languages) using placeholders and parameter objects (also called that way in ASP.NET) shouldn't have any problem after 
all, or if you validate your inputs (in other languages like php/perl) you are safe, but is that it? 

Other different technologies that use query languages like LDAP or MQL are not in the scope of this paper, for now.

I'll highly appreciate any feedback, BTW when finished this little paper will be published in this lists for your 
concideration/use)

Cheers
JC