The main part of preventing any kind of code injection attack is always a proper input validation, both on the client side and the server side.

For SQL Injection, always use parameterized or prepared queries instead of concatenating SQL sentences and inputs. Parameterized queries insert function parameters in specified places of an SQL sentence, eliminating the need for programmers to construct the query themselves by concatenation.

In this recipe, we have used and recommended the language's built-in validation functions, but you can create your own if you need to validate a special type of input using regular expressions.

Apart from performing a correct validation, we also need to reduce the impact of the compromise in case somebody manages to inject some code. This is done by properly configuring a user's privileges in the context of an operating system for a web server and for both the database and OS in the context of a database server.