>One way to stop SQL injection for example is to stop them at the door, i.e.

The best way to stop SQL injection, is not to allow it. That is done with placeholders, aka "host variables". Basically, a placeholder can only hold the expected data. That is, it needs no quotes, or escapes, or anything. The system expects it, and they are generally strongly typed.

If you need to pass arguments, use host variables, and make sure your module supports them. It is considered pretty basic functionality.