Instead, you use a data access layer, that always binds parameters.
Kinda like I said above. Only you claim that you will miss sanitizing something. So what if you forget to use bound parameters? Oh that's right, things work perfectly in your view of the world but everyone else is wrong. Use a data access layer, access everything the same way.
I don't so much care how "thick" your data access layer is - a thousand layers of code or just a rule - the important thing is that at the bottom you MUST use bound parameters instead of doubling all your quotes and wrapping it in quotes.
In-band signaling... I'll leave that for others if they want to rip it apart. I assume you mean escape sequences, replacing control characters with escapes specifically. There are common ways of replacing, and common ways to defeat common ways of replacing. It has nothing to do with in or out of band signaling.
Poor choice of words, perhaps - what it really boils down to is, don't let your users write your source code. Seems pretty obvious when you say it that way, but so many things like SQL injection attacks, XSS browser problems, etc, all come down to taking a string of user input and putting it into an environment where it gets evaluated as executable code. People see that it's happening (usually the first time Mr. O'Brien registers), and they try to patch it, but they usually fail one way or another.
For example, go back a few weeks and find the slashdot article about the voting machine being hacked (legally, during a public eval period) by some researchers. It turned out to be the wrong kind of quotes used in a shell script, which meant that a carefully crafted input ended up being executed as code. Watch over the next few weeks/months as various as-yet-unknown exploits are discussed in academic or real-world settings, and 99% of the time it ends up that user input is being executed in some way. And more often than not, there was some sort of attempt at "sanitizing" the input, which failed to account for something.
IF you have a bug in the binding, such as the case here, it doesn't matter if it's in or out of band. There is a bug, and it will likely be discovered sooner or later.
Yes, there could always be a bug in an underlying library. If the bug is in a subroutine that supposedly sanitizes your data, you're screwed (and note that there's a decent chance you won't know about the bug until someone else uses it on you). If the bug is in the SQL binding code, and the 8 bytes that's supposed to represent am IEEE floating point number happens to end up containing 'or1=1-- , then it probably doesn't matter, because no part of an SQL driver is likely to be expecting to execute the binary data of a bound parameter. And if there is someone a problem where the data packets DO try to get evaluated, you're far more likely to find it before the system hits production, because the vast majority of such attempted evaluations will fail miserably due to syntactical errors or whatever.
I only know of ONE environment where you really have no choice but to "escape" a bunch of strings, glue them together, and hope for the best: HTML. There's no equivalent of a bound parameter. And this fundamental flaw is why web pages designed by careless people (realistically, that's most of them) will always be easily exploitable, and web pages designed by careful people will also be exploitable, just not as easily and somewhat less often.
Mark my words: ten years from now, if people are still using HTML, there will still be major new types of attacks being discovered and utilized every other month or so. It's inherent in the architecture, and every new feature (javascript, CSS, etc) just introduces new escaping rules for people to fuck up..