Section
5.1.1
Sub Level
General
User data should not modify the intent of a database query. Ensure that the data supplied by the user is never treated as SQL code. Use prepared statements where possible.
Coldfusion

Use <cfstoredproc> along with <cfprocparam> to use prepared SQL statements and limit abuse of input parameters. If using <cfquery>, be sure to use <cfqueryparam>.

Django
SQL statements are constructed by Django's ORM layer and all input is properly escaped during substitution.
Java

In Java, investigate all usage of java.sql.Statement to see if user-supplied data will ever modify the query intent. Generally never usejava.sql.Statement, but use java.sql.PreparedStatement orjava.sql.CallableStatement instead.

LDAP injection is also a possibility. Care should be taken when authoring LDAP queries. The use of a package which abstracts the creation of queries should be used.

Natural Webagent
This does not apply to Natural or webAgent. If using SQL to access Adabas, refer to the general guidelines.
.NET

Never use string concatenation in order to create a SQL query.

PHP

Make sure that you escape any potentially dangerous output before sending it from your applications to remote sources, such as a client browser or MySQL database. Remember to escape only filtered data. When using MySQL, use mysql_real_escape_string() for escaping output to the database.