I am really excited about the most recent chapter that I reviewed in the Deep Dives book. I think what I like about this the most is the fact that this is something that attracts a lot of attention. There are some things that you can do to help avoid SQL Injection that are not directly related to security. Here is a clip from the review, to read the rest check it out here.
If you are just passing back your errors to an application or even worse a web page you are putting your database in jeopardy. Think of it like this… If an error is passed back to a web page have you not just validated what is not acceptable to your database? If you have validated what is not acceptable then is the reverse true, when you look at what is acceptable? So could someone just sit there and try different options and until they have a successful injection attack?
Maybe this is Extreme, Maybe