Today's problem was not SQL injection as I thought. Somehow the clever s**t was able to add obfuscated code to the end of a "standard" Yahoo UI library script. Just a little bit of hex and some recursive array references, and that set the whole chain off. Unreal. The crazy thing is they were able to do this without any change to the mod-date on the file. I am so thankful for Google's browser side debugging environment. It picked up the cross-site BS embedded in that minified Javascript. BRAVO!! You would not believe the adventure and the number of shots in the dark.

Now I need to find out how they got to that script to change it. I will watch it like a hawk!