in reply to
Use placeholders. For SECURITY!
Absolutely. The alternative at the database level can be to force all access via stored procedures, but even that doesn't necessarily protect you against this sort of problem.
At one client we have set up a fairly elaborate security system where the front end servers hit a middle ware layer on a different server with a request that includes a service name and an MD5 key for that service, which gets validated in the database before the service is allowed to run. This should prevent unauthorized hosts from connecting to the database directly, and from attempting to execute unauthorized database requests (I say "should" because we all know that all software has bugs...). It costs us in terms of performance (for each database request there are multiple round-trips to the database to validate the request, etc.), but preserving the integritiy of our data is essential.