Cheers. SQL Server has in-built security to stop "field1, DROP TABLE *" being injected in there, doesn't it?
It's going into a DataSet in a .NET console application. I thought about doing it directly to XML in SQL Server (I know nothing about it, but I assume it can do at least the basics and probably perform better) but the resulting XML needs to be customised for each export- and writing that kind of customisability into SQL Server would probably cause my head to explode.
Plus one or two places use CSV, because they're mental.