IDG Answers is a community of experts who are passionate about technology. Ask a question or answer one below.
A few basic steps can help prevent a lot of issues:
Do code reviews so that there everything changed is double checked and looked at with a fresh set of eyes.
Don't allow escape characters.
Use parameterized statements so that data is filtered prior to being sent to the database.
This is the topic of a detailed "SQL Prevention Cheat Sheet" by The Open Web Application Security Project, or OWASP. Here's a key excerpt:
"SQL Injection flaws are introduced when software developers create dynamic database queries that include user supplied input. To avoid SQL injection flaws is simple. Developers need to either: a) stop writing dynamic queries; and/or b) prevent user supplied input which contains malicious SQL from affecting the logic of the executed query."
The cheat sheet runs through explanations of several "primary defenses," including Prepared Statements (Parameterized Queries), Stored Procedures and Escaping All User Supplied Input.