Cheers. SQL Server has in-built security to stop "field1, DROP TABLE *" being injected in there, doesn't it?

It's going into a DataSet in a .NET console application. I thought about doing it directly to XML in SQL Server (I know nothing about it, but I assume it can do at least the basics and probably perform better) but the resulting XML needs to be customised for each export- and writing that kind of customisability into SQL Server would probably cause my head to explode.

Plus one or two places use CSV, because they're mental.

Use SQL Server Integration Services?

(Althought TBH, writing your own C# is probably less painful than some of the faffing you have to do in SSIS.)

As for SQL Injection attacks, there's nothing that'll explicitly prevent that sort of thing, so you still have to clean your parameters before using them, but you can set up the security so that the user who calls the stored procedure don't have the rights to drop tables or whatever.