The standard advice for how to avoid SQL injection attacks
in Java is to use PreparedStatement instead of Statement. I don't know the
details of Saxon's sql: functions but I expect it would take quite a bit of
rearchitecting to make that change.
Since it's usually easy to switch to PreparedStatement,
there isn't a whole lot of knowledge in the Java world of other methods of
avoiding SQL injection. You might have to ask how other languages (for example
PHP) deal with that problem.
I've added an sql:execute instruction for the next release,
and also an auto-commit="yes|no" option on sql:connect.
I was a bit shocked to discover that the SQL injection
worked. It means it's the stylesheet author's job to ensure any parameters
inserted into the SQL statements are safe. Is there any advice available as to
what needs to be done to close off this possibility, i.e. what to look for in
the inserted strings?