Currently the OLEDB/ODBC connection string for a server that requires a password can be injected into with a password that contains a ; or a |. There may be other values that cause this as well - these are the ones our company has found so far.
This lowers the security of passwords for our other systems, by limiting what characters we can use.