Protection for SQL Injection

could you not just remove it? or replace it with the html equivalent like WWF does?

We use a custom designed script that will search for any SQL within anything that is being saved to the database.

the quickest way to look for this is to use the Ireplace function and search for any SQL and replace it with #Drop# or #Select# that way you can prevent any commands being excuted on your server.

Below is a quick snippet of my script:

Function SQLPROTECT(inputstr)
'(C) CM Development Ltd. 2008
'The Purpose of this script is to check any of the data passed by forms and other information in the system to ensure that it is
'indeed "SQL SAFE". It will check for standard Javascript And VB Script Code and Also SQL Syntax will be removed from the string aswell.
'It then returns a nice safe alternative so that the SQL Database and Website as a whole is safe.
'This added to an ISAPI Filter will block most attacks from hackers


Dim wStr, redir
                Wstr = inputstr
                'Java And VB Replaces
                                Wstr = Replace(Wstr, "script", "##scr##")
                                Wstr = Replace(Wstr, "Script", "##Scr##")
                                Wstr = Replace(Wstr, "SCRIPT", "##SCR##")
                'Standard Replaces

and so you can see that if you can be bothered to go through all the different possible attacks and the coding behind each one, you may be able to stop them before they get in.

As Bruce also says, with most databases you can secure them from the server end, and also with IIS 7 you can setup ISAPI filters to stop most attacks as added security.