There is no encoding for T-SQL statements

Nov 17, 2011 at 8:54 PM

Are there any suggesitons from the experts on the safest way to encode T-SQL literals so that user input does not inject SQL into the statement?

I know the recommendaton is to use SQL Parameters, but I have an unusual use case where this is not possible (constructing a CREATE VIEW statement), so I am looking for an alternative.