"About a year ago I had to implement a system where the table name could be configured for an application. Why would you want to do that? Lots of reasons really, like if you have a table generator via a web interface."

This is the reason you don't use a web-interface to do this. Allowing admin-level traffic to enter through the same channels as user traffic is generally a bad idea.

It's a major hole to an important layer in your defenses. Opening it up and you ask for trouble... even if you establish permissions, those can be bypassed with escalation exploits.

The author demonstrates an SQL "injection" via "malicious" django-admin.py input. Is it really SQL injection if the user has access to your site's admin script?

Some input really is trusted.

I am still amazed by the use of SQL language. Why use a text based language, instead of some kind of db API/ABI? You simply can't inject an API with only a parameter.