Based on Using Parse Tree Validation to Prevent SQL Injection Attacks by Gregory T. Buehrer, Bruce W. Weide, and Paolo A. G. Sivilotti.
An SQL injection attack targets interactive web applications that employ database services. Such applications accept user input, such as form fields, and then include this input in database requests, typically SQL statements. In SQL injection, the attacker provides user input that results in a different database request than was intended by the application programmer. That is, the interpretation of the user input as part of a larger SQL statement, results in an SQL statement of a different form than originally intended. We describe a technique to prevent this kind of manipulation and hence eliminate SQL injection vulnerabilities. The technique is based on comparing, at run time, the parse tree of the SQL statement before inclusion of user input with that resulting after inclusion of input.
I wrote a simple Bison grammar for a subset of SQL and a lexer in Flex, then a PHP frontend that presents the user differences between parse trees of two queries: a reference query and a query to test.
Using Parse Tree Validation to Prevent SQL Injection Attacks - Flyer .