These guidelines apply across all database technologies.
They should be used in conjunction with the database specific Secure Coding Guidelines...
"Least Privilege" or "Deny by Default"
Always validate user input received from a database client or application by testing type, length, format, and range prior to transmitting it to the database server to minimize the risk of SQL injection.
Any database interaction should be through the use of stored procedures and not dynamic SQL.
Application users should not have INSERT, UPDATE, or DELETE privileges (just EXECUTE permissions on stored procedures that enable this functionality).
There should be no SQL query in the application code produced by string concatenation.