This is probably a topic for the development list but I wonder what other peoples thoughts are. We are now using OTRS internally at our company and things are going very well. After having gone through the code and running into some quoting errors (QuoteSingle is spelled incorrectly in the source) I discovered that OTRS uses a lot of built up string queries. These are the types of queries that are prone to SQL Injection attacks. I realize that OTRS does it's best to handle the quoting of parameters for you but it is still a concern when you could instead use posisitional parameters and allow the DBD drivers to handle the low level quoting. Has anyone else out there done an SQL Injection risk assessment for OTRS? What do the developers think, I know they are concerned with the security of their product. Thanks, Owen