Support parameter for the file path in BULK INSERT statement
It would be good to support a variable for the data file part of a bulk insert statement. This will prevent some cases where people write SQL injection prone code. File paths allow quotes in the file name, so it is tricky to prevent sql injection when composing dynamic sql to execute bulk insert.
Even though I would not recommend exposing bulk insert throug client facing applications you can see that people try to do this and open themselves to sql injection.