A colleague and I are working on a system to prevent SQL injection attacks, which involves parsing the SQL string being passed to a db and comparing it to a "known-good" string, as specified by the programmer for a given task; if the parses match, no injection. (That's a very brief overview. I can send you the paper if you want to read it.)

We have to allow developers to specify which part of the SQL string corresponds to user input, and find the narrowest enclosing scope for that substring (ie, the lowest node in the parse tree which generates the whole substring), in order to deal with tokenization.