I have a script in FME Server that gets called by a URL with parameters for the WHERE clause. The querystring on the URL looks like this:

some_example.fmw?Year=2010&Neighbourhood=Kensington-Cedar%20Cottage

The WHERE clause in the database reader then looks like this:

neighbourhood = '$(Neighbourhood)' AND year(event_date) = $(Year)

As I understand it, there is no way to "parameterize" the WHERE clause to avoid an SQL injection attack. Since we are planning to expose our FME Server to the world, it would be great to have this ability in database readers.