page you can find section, which describes "SQL injection protection in web part properties". Idea is that by default where and orderby conditions will escape (') character with with two ('') characters, which prevent from sql injection attacks. I think this is great solution and also there is a way to customize "this.SQLProperties" property in code of the webpart to add/remove fields from filtering.
So I would like to suggest something that will be very useful for developers - in webpart properties add field (or maybe checkboxes) called MacroSqlEscape and allow developers to customize "this.SQLProperties" through this field. In this case developers can decide if they want to handle quotes escaping themselves or rely on Kentico. Also that will save time on editing webparts properties each time developer needs to change what should be filtered.
Hope that all make sense. Please let me know what you think and if it could be included in future release.