Scott has an interesting post detailing the risks of SQL injection.
I made that mistake myself when I wrote the contributions web service for Monodoc. Until a few months ago, our Monodoc service had this very problem. Pablo Orduña contacted me off-line and even provided fixes to our web service to fix the issue. Highly recommended reading for anyone writing web apps.