I did something similar to demonstrate common vulnerabilities, such as SQL injection and changing hidden values in forms before submission. It was really tough to make this app with web2py, as I had to skirt around most of the framework to make it happen. This is a GOOD THING though. I learned a lot about the extent that web2py goes to in order to keep apps secure.
You have to wrap everything in XML(), like Anthony mentions, you also have to use db.executesql() and define and handle your own forms manually, without using FORM or SQLFORM.
