After working with Adobe's ColdFusion for several years I've come to the conclusion that the single most important thing that a developer can do is use the CFQUERYPARAM tag. This single tag can help prevent many security problems as it will automatically work out how to pass the variable into the database based on the type of data you say it is, e.g. strings will get the proper quotation marks around it, dates will have pound signs added if needed, etc, etc. Wonderful stuff and one of ColdFusion's best features.