You can use Prepared Statements or Parameterized Queries or Use Named Parameters. Validate user inputs before using them in SQL queries. Ensure that inputs adhere to the expected format and do not contain malicious characters. Regular expressions or other validation mechanisms can be employed for this purpose. Use stored procedures whenever possible. This shifts the responsibility of SQL query construction to the database, making it harder for attackers to inject malicious SQL.