Parse the values and field names in where/having clause, or check that the user has specified specific columns in the where clause, this information can be used to code a parameterized query then protect/detect SQL injection.
the sample SQL statement that needed to be parsed was:
SELECT firstname, lastname, age FROM Clients WHERE State = "CA" AND City = "Hollywood"
The result you may wanted to achieve was similar to this:
column: State Operator: = value: "CA" column: City Operator: = value: "Hollywood"