hey, this is nice post.
i have a simple way to prevent sql injection attact. usually, hacker test if sql vulnerable by adding a single or doble quote in input variable. like this:
?id=1' or ?id=1"
so, i remove any quote in all variable. i use str_replace().
i see why hacker do to attack sqlinjection vulnerability. like this:
so, i remove the +,-,%20,*.
i feel this is just little trick, but this so helpfull to prevent sql injection attact :-)
I am sorry my english is very bad. But I am very interest to discusse here :-)