How do I prevent SQL Injection?
There're several ways to prevent SQL Injection. One method is to validate each input, ensure that no special characters or SQL sub-strings enter your input. An attacker might still slip through that validation filter. A stronger approach is to avoid using dynamic SQL queries while querying the database. CallableStatements and PreparedStatements in Java, ADOCommand objects in ASP.Net all use pre-compiled queries that are safe from SQL Injection.
We discussed these techniques in this Palisade Quiz.