You have to protect yourself against SQL injections what should you do:
A.
Parse all input for: — /* */ ; ‘
B.
Concatenate user input that is not validated.
C.
Accept the following strings in fields from which file names can be constructed: AUX, CLOCK$, COM1 through COM8, CON, CONFIG$, LPT1 through LPT8, NUL, and PRN.
D.
Use stored procedures with unfiltered input.
Explanation:
http://msdn.microsoft.com/en-us/library/ms161953.aspxWhen you can, reject input that contains the following characters.
Input character
Meaning in Transact-SQL
;
Query delimiter.
‘
Character data string delimiter.
—
Comment delimiter.
/* … */
Comment delimiters. Text between /* and */ is not evaluated by the server.
xp_
Used at the start of the name of catalog-extended stored procedures, such as xp_cmdshell.