This is not the perfect solution. The perfect solution is to rewrite your code, never allowing a user input to be fed into a SQL statement.
However, as we know, the world is not perfect. If you have an old app, maybe very large, with old libraries, and no documentation? Well here is a solution that we have used, that has worked 100% in blocking SQL injection attacks.
It's not free, nor is very suitable for high performance sites, as it will all a drag factor onto your app. But it maybe suitable for some.
Go over to our friends at SQL Parser: http://www.sqlparser.com and buy the parser.
Make a call to this function with every SQL command before executing it.
© 2004 - 2013 1 Oak Hill Grove Surbiton Surrey KT6 6DS Phone: +44(020)33845936