i had this question on one of my last security talks. A guy told me that he replace every qoute with a double qoute and he is save. I didnt find the answere at this time.
unkown developer - i must say to you - you are wrong- you are UNSAVEtoday in a meeting with Michael Willers and Tobias Ulm talking about the security trainings we deliver next month, michael showed us the follwing code
select * from blabla where id=12323 ;shutdown
I didnt ever know that sql server have a tsql shutdown command. Now i know it and i know also there is no qoute inside.
But the most important lession i learned again is: you never know, what you dont know!
You also never know that a application is save, you only know the opposite. Every application is unsave. Feel bad? i do!
UPDATE the best way ist to use paramterized stored procedures. I say this, because its also possible to use stored procedures without parameters collection