Which is the only proven way to prevent SQL Inject

Which is the only proven way to prevent SQL Injection

Explanation

Query parametrization is the only way of preventing SQL injections into the database.
By using of parameters we can avoid SQL injection. If we don't use parameters , intruders will inject hursh content to destory or capture your database like this . SELECT * FROM tbllogin WHERE UserId = 6 OR 1=1; SELECT * FROM tbllogin; DROP TABLE tbllogin

Theory

SQL Injection
SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input.
Injected SQL commands can alter SQL statement and compromise the security of a web application.
Read more: SQL Injection
SQL Injection - Parameters for Protection
Some web developers use a "blacklist" of words or characters to search for in SQL input, to prevent SQL injection attacks.
This is not a very good idea. Many of these words (like delete or drop) and characters (like semicolons and quotation marks), are used in common language, and should be allowed in many types of input. (In fact it should be perfectly legal to input an SQL statement in a database field.)
The only proven way to protect a web site from SQL injection attacks, is to use SQL parameters.
SQL parameters are values that are added to an SQL query at execution time, in a controlled manner.
Read more: SQL Injection