1) NEGATIVE INPUT FILTERS

The simplest way to prevent this sort of injection is to search the SQL string
for semi-colons and double dashes, and remove them before passing the statement
to the database. That’s easy in an adequate application language, for example in PHP:

$protectedqry = str_replace( “–”, “”, str_replace( “;”, “”, $qry ));

2) POSITIVE INPUT FILTERS
you could decide to accept only alphanumeric characters in user names and passwords. It is easy to enforce that rule in PHP:

if( ereg( ‘[^A-Za-z0-9]+’, $usr.$pwd )) {
echo “<script>
alert(‘Alphabetic and numeric characters only, please.’);
</script>”;

3) OUTPUT FILTERS

Application languages provide generic tools for cleaning up submissions to your database. Again in PHP the function to use is

mysql_real_escape_string():
$qry = mysql_real_escape_string( $qry, $connection_resource );