Understanding that Parameterized Stored Procedures are the best way to go ... having said that:
If I must use Dynamic SQL (SQL Server) with variable numbers of tables and fields, how "safe" is it for me to "Clean" the string by using regex (or other function) to ensure that:
1) the input string is limited to a short string (such as 15 characters to prevent buffer overflow errors)
2) only the characters A-Z, a-z, 0-9 and _ are used (no other symbols, semicolons, etc.)
Example SQL Statement:
"SELECT orderID where ProductDescription = '" & CleanedSQLText & "'"
Also, is using QUOTENAME for fieldnames and tablenames considered reasonably safe to prevent SQL Injections as well?