SQL injection attacks are nothing new and hopefully everyone is protecting
themselves from it.
An interesting by-product of the standard method of protection from the basic
sql injection attack (replace single quotes with two single quotes) is
increasing the size of the original value. When building a command in a
variable, its possible to truncate the original WHERE conditions allowing the
attacker to affect much more data than the developer intended.
Bala Neerumalla has written a detailed article for MSDN Magazine with
background on the attack methods, some excellent examples, and methods for
detecting and preventing SQL Truncation attacks. Definately worth reading
and implementing.