I wanted to ask if anyone knows of a way to prevent injection in an SQL SERVER 2005. I mean, is there any way to do all the blocking in the server and not have to escape each special character one-by-one?
For example, in PHP I used mysql_escape_string and automatically the string was OK to send to the database... Is there something similar in SQL Server?
If you haven't found it yet, look into mssql_init/mssql_bind/mssql_execute, which uses parameters to pass values into stored procedures. This is considered "the way" to do things in PHP with MS SQL. Also note the complaints about PHP not working with SQL 2005 Express and how to fix it in the comments are of the PHP doc section on MSSQL.
The mistake which a lot of developers make is thinking parametized stored procedures mitigate sql injection 100% of the time. However, injection is still possible with parameters when dynamic SQL is used in the stored procedure:
create proc VulnerableDynamicSQL(@userName nvarchar(25))
declare @sql nvarchar(255)
set @sql = 'select * from users where UserName = '''
+ @userName + ''''
exec sp_executesql @sql