GSquared (6/6/2008)
The problem I was bringing up is that, according the news articles in May this year, thousands of servers did NOT have adequate SQL injection prevention measures, and according to at least two threads on SSC's forums, there are DBAs/Devs who think you can prevent SQL injection in exactly the way I described.
The whole point of the question is that preventing SQL keywords in the variables part of a URL doesn't work. Judging by the news on Internet Storm Center, there are still problems with this.
I agree that these methods arent' foolproof, but assuming you're really "preventing SQL keywords in the variables part of the URL" the string passed in would be rejected based on the keywords below (I bolded and underlined them - they're all SQL Server reserved keywords):
declare @a varchar(1000);set @a=cast(0x73656C656374206E616D652066726F6D207379732E6461746162617365733B as varchar(1000));exec(@a)
You're right though, scanning for keywords is not the best method for dealing with these types of issues especially when you're dealing with values that can be parameterized like predicate constants and values.