This post gave a nice overview of SQL injection attacks. This page also provides some solutions to the question of what regular expressions might work well to defeat both SQL injection and cross-site scripting (XSS) attacks. The interesting dilemma, IMO, is how to prevent SQL injection attacks on user name fields while allowing for punctuation within names. For example, if your last name is Irish or transliterated Hebrew, you are liable to have lots of trouble getting your name past the typical whitelist filter, which automagically rejects strings containing single-quotes, like "O'Hara". In a smart client situation, the client can escape these before passing them into the database. However, your typical Joe User isn't going to know that. So I'm pursuing a solution, and I'll post here whenever I find one.