How can I avoid SQL injection attacks?

Question

Yesterday I was speaking with a developer, and he mentioned something about restricting the insertions on database field, like, strings such as -- (minus minus)

Answer 1

It is not dangerous as long as you correctly escape the data when doing INSERT/UPDATE/...

And escaping HTML characters is NOT a good approach. Imagine you wrote a function that escapes such characters and you have stored some escaped text in the database. Then you notice that your function did not escape '<', so you change the function... now what happens to the records that are already in the database? - Their '<' characters will stay unescaped. Thus, NEVER escape text before storing it in the database (escape the SQL query, of course). Escaping should happen when the HTML/XML/... page is produced out of the text, that is, after querying the original text from the database!