You can set up a ReportMonger page literally in seconds, and thats handy. However, if you just spend a few more minutes writing out a proper SQL query your report page will be MUCH more secure... and so will your server and data.
The best of all worlds:
- Put in all of the parameters (many are used in places other than just the SQL statements).
- Replace all of the variables in ReportMonger's SQL with hard values, except for the ORDER BY clause, which must be variable to preserve the ability to change sort order.