How to prevent SQL injection
ORM-libraries for working with databases, such as doctrine, Ruby on Rails and others realize protection from SQL injection inside of themselves. But they do not give 100% protection. In working process with an ORM it is possible to make a mistake which leading to an attack when using dynamic SQL queries.
Filtering prohibited symbols
One of the protection options is black-list filtering, when invalid symbols, for example, single and double quotes (', "), are deleted or denied for input. This method is not suitable for real applications as it cuts off loyal data. Suppose, there is a table "users" in which system’s clients with the field "name" are stored. If a user named D'Artagnan tries to register, the given name will not pass the verification and the user will not be able to use the system.