Quote:
I have one string variable sstateUrl= "http://abcd.com/url"
so I want to validate the this sstateUrl to avoid sqlinjection.
It don't work that way. You don't protect SQL queries from injection by checking the text that will be concatenated in the query.
SQL injection is when you build an SQL query by concatenating parts with user input because the end result is an SQL query and the user input is promoted to SQL code, a legal input can crash your SQL query, a malicious input can crash or kill your database.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[
^]
SQL Injection[
^]