How can I avoid SQL injection attacks?

Question

Yesterday I was speaking with a developer, and he mentioned something about restricting the insertions on database field, like, strings such as -- (minus minus)

Answer 1

Use parameterized queries. These queries represent the variables as a placeholder in the SQL, such as select * from person where name = ?. After creating the SQL query, you set the parameter values in the query. Parameterized queries ensure that whatever was substituted for the placeholder will not be considered as part of the SQL statement.

See Jeff Atwood's article for a good overview of parameterized queries.