noeld's idea is great. You can check with UDF, but you must handle many possibilitiessssss, such as '--', '*' and other reserved characters.
Beware of SQL Poisoning! For example, SQL query can be poisoning by inserting two or more SQL query after your original one, using termination characters, such as '--' and ';'. Check SQL Poisoning from Internet to know more.
Regards,
kokyan