1) NEGATIVE INPUT FILTERS The simplest way to prevent this sort of injection is to search the SQL string for semi-colons and double dashes, and remove them before passing the statement to the database. That’s easy in an adequate application language, for example in PHP: $protectedqry = str_replace( “–”, “”, str_replace( “;”, “”, $qry ));