SQL Injection works because it's sending down direct SQL commands against the interpreter. Because of the nature of it, SQL can't block it because it's meant to send legitimate batches to the compiler.
SQL cannot protect itself from legitimate commands.
This is one of the reasons that SQL DBA's and Devs alike insist on Stored Procedures to be used for external access to the database. By restricting a login to only execute rights on procedures, you've limited the damage that login can do. For some cases like user defined search screens data_reader can be allowed for sp_executeSQL calls with parameters.
The front end must protect the database from injection if you're not letting the database protect itself by disallowing the process in the first place.
Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.
For better assistance in answering your questions[/url] | Forum Netiquette
For index/tuning help, follow these directions.[/url] |Tally Tables[/url]
Twitter: @AnyWayDBA