I'll just add that moving to stored procedures and only allowing the web user to execute the stored procedures will also eliminate the possibility that your web user account has been compromised and somebody is doing the updates using Access, SSMS, or some other tool.
I have "hacked" several purchased products within companies I have worked for in order by finding the account information being used to login. Especially with SQL 2000 products that installed SQL 2000 with a blank sa password.