Actually, it's not easy. It's incredibly difficult to have a webapp with a wide range of functionality that doesn't leak data to SQL injections. There's plenty of stuff that can get past the precautions you listed[1][2], although pornel is closer to the mark.

[1]http://ha.ckers.org/sqlinjection/

[2]https://docs.google.com/viewer?url=http://www.ihteam.net/pap...