(no title)

It's a bit weird but I'm using a langage (for a specific project) where prepared statements aren't available (except if you pay or use a specific DBMS, I can't do both because the client won't pay and I need SQLServer).

My initial idea was to use a DLL from PDO (I'm developping on a Windows env) or whatever known piece of code that is trustable in order to sanitize user inputs (of course we do it client side but user is devil :-)) before sending it to SQLServer.

After all answers and my researches, I think that I'll use a tiers piece of code to escape queries (probably a C# program using SQLCommand).

Thanks all.

If anybody knows exactly how SQLServer is handling SQL Statements, please let us know.