Thanks to you too Stephen,
Perhaps you can help me understand the vulnerability in my case.
I upload an xml stream as a string to the server, and without deserializing or executing the stream the server packs it into the db via stored procedure. Later, when the stream is requested, it is pulled from the db via stored procedure and sent to the client, again without deserializing or executing it. How could that possibly compromise the server or db?