You want to reduce the opportunity for attackers to submit malicious SQL code in command parameter values.

Use a parameterized query.

Many applications build SQL commands dynamically by parsing the pieces together into a large string. This approach poses problems when dealing with binary data, and it also raises the possibility that an attacker can execute malicious SQL code by "injecting" it along with a parameter value. This malicious code could be used to tamper with information in the database or even launch another application on the server. You can read some frightening examples for different database servers on the Open Web Application Security Project Web site at http://www.owasp.org/asac/input_validation/sql.shtml ...