The standard advice for how to avoid SQL injection attacks in Java is to use PreparedStatement instead of Statement. I don't know the details of Saxon's sql: functions but I expect it would take quite a bit of rearchitecting to make that change.
Since it's usually easy to switch to PreparedStatement, there isn't a whole lot of knowledge in the Java world of other methods of avoiding SQL injection. You might have to ask how other languages (for example PHP) deal with that problem.

From: Michael Kay []
Sent: January 27, 2010 05:24
To: 'Mailing list for the SAXON XSLT and XQuery processor'
Subject: Re: [saxon] saxon sql extensions - mysql autoCommit(false)

I've added an sql:execute instruction for the next release, and also an auto-commit="yes|no" option on sql:connect.
I was a bit shocked to discover that the SQL injection worked. It means it's the stylesheet author's job to ensure any parameters inserted into the SQL statements are safe. Is there any advice available as to what needs to be done to close off this possibility, i.e. what to look for in the inserted strings?


Michael Kay