sql injection – how to sanitize program generated sql clause

in standard Ajax, where and order by SQL clauses are provided by the program (not user), egvar url = “.select?dd=emp&where=”+escape(“emp_tp=’abc’ and hire_dt$where =...

Am I vulnerable to sql injection and cross site scripting (a

To start, please pardon my ignorance, I’m not a programmer but rather a student research assistant who happens to need to write some programs.Right now I’m working on a page that will take...