The secret with XKCD is that you have to read the text in the tooltip that appears when you hold the mouse over the image (only works on the XKCD website itself) - it often contains the point of the joke, or an extra joke.
fred rosenberger wrote:Bobby Tables will always be my favorite.
I've passed out that exact strip to contractors that left us open to just that type of problem. Of course the inputs were only coming from internal (employee) users, so we were a little less worried about malicious SQL hacking. Nonetheless, the guy didn't qualify as "done with the project" until he used parameterized SQL at the very least.
Best: Stored Procs
Better: Parameterized dynamic SQL
Good: Relying on each new programmer to parse the input to catch possible attacks.
Bad: none of the above.
OF COURSE, other factors can make the, say, "Better" option above more attractive for certain projects. You have to look at it on a case-by-case basis.