in reply to Preventing malicious T-SQL injection attacks
I guess that it might be an idea to limit the SPROCs that can be called. It might be an idea to make it impossible to activate any SPROC that is a system SPROC. That would require screening of the $SPROC variable.
Whitelist. Make a list of all the acceptable values of $SPROC, and
don't execute anything that's not on the list. In information security,
it is always far, far better to use a whitelist than a blacklist.
Anything not expressly allowed is automatically verboten. Don't put
anything on the list that doesn't actually need to be there.
Plus do what bart suggests above, with the placeholders. I was going
to say that, but he beat me to it. It's good advice.