Every access to backend systems such as databases MUST be parameterized[1], e.g. via prepared statements, OR mappers (e.g. Hibernate) when an API for this matter does exist.
All parameters, either internally or user-controlled, MUST be declared as parameters within a prepared statement (or similar API) call.
In case an API does not provide any methods for parameterized statements, parameters MUST be encoded with suitable APIs (e.g. SQL encoding) to prevent interpreter injection.
User-controlled parameters MUST be encoded with a suitable API and method related to its output context if written to an HTML pageinto a webpage:
HTML Contextcontext: HTML entity encoding
JavaScript Contextcontext: JavaScript escaping
CSS Contextcontext: CSS escaping
Output encoding SHOULD only be implemented with mature APIs and frameworks.
Implicit validation (e.g. via ORM frameworks or template technologies) SHOULD be preferred to explicit validation (API calls).
...