Mega'and(select*from(select Sleep(2))a/**/union/**/select 1)=' -

: This is the most effective defense. It treats all user input as "data" rather than "executable code," so the sleep(2) command is never actually run.

: Only allow expected characters. For example, if a field is for a username, don't allow special characters like ' , ( , or * . : This is the most effective defense

: This is used to combine the results of the original query with a new query, often used to extract data like usernames or passwords. don't allow special characters like '

: A WAF can detect and block common patterns like sleep() or union select before they even reach your server. : This is the most effective defense