Quick question.. directed at anyone who can answer it.

Other techniques would be to limit access to files and functions by IP address and direct create several DB accounts with different powers (least privilege) and assign each script to the appropriate DB connection. This dramatically reduces the risk of SQL injection attacks.
The only free open source CMS/BBS whatever you want to call it I've ever seen that allows you to use multiple db accounts is the one I've been working on for a few months now. I'd be interested in a CMS that does this that is established already, if anyone happens to know of one I'd like to see it. I don't think any of the ones on opensourcecms.com have this capability. (They all seem pretty crappy :/)

Hi catch

That said, it may use various filters and such to limit these types of attacks, and although that is better then nothing, for the multi-user web application (where users are contained within the app itself) I would not trust this type of solution.
Even a "root" account with a separate database user on a multi-user web application can be XSS'ed and be forced to do malicious things, in that case mod_security would be pretty valuable. Personally I would go for that extra layer if mod_security itself doesn't add too much.