Re: Got to watch those password lengths
SQL injection is ridiculous. They take some random HTTP POST value and concatenate it onto a SQL statement and run it? Duh!
Even if they run it through a sanitiser it's a risk and moreover it's ridiculously inefficient.
Every program (web service or otherwise) I've ever written that takes user input (or input from a comms channel) for an SQL (or "a Sequel" if you prefer) query binds the input variables to placeholders in the query string. Usually the statements are pre-prepared since that avoids a layer of parsing for frequently executed statements.
This is trivially easy to do in PHP, Python, Perl, Ruby etc. and not much more complicated in C/C++ with most client libraries.
To paraphrase Holly, "The highest form of life in the universe is Man and the lowest is a man who works as a web developer."