SQL Injection attacks are the news this week. In one article (http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1365263,00.html?track=sy160), I read:
"the fact that only now has the software development lifecycle started to mature to the point where developers have enough security skills and keep security in mind when they build applications"
I am not sure that I agree with this statement as the reason why there are so many SQL injection risks. I have worked with several contractors from India who put mass quantities of hard coded SQL statements into code. I have done code reviews where I stated "This needs to be taken out, and this and this" etc. I know of one application that was written by contractors that took 2 people 1 year to replace all the hard coded SQL (of course, it is the State, but these were dedicated developers).
SQL injection attacks are all due to hard coded SQL. No code should ever include hard coded SQL statements, not even one! Now we have learned, and now we review all code and will reject anything like this. However, the contractors are still writing this way, so unsuspecting customers who like to use contractors can still end up with spaghetti code and big risks of SQL injection. It may be going to far to call it malicious, but it certainly leaves a back door open.