Dynamic SQL: secure a password parameter from SQL injections

As scary as it sounds, an input for a password parameter has to be secured in the following dynamic SQL: CREATE LOGIN NewLogin WITH PASSWORD='MyStrongPassword'. A @parameter canno开发者_JS百科t be used: like this PASSWORD=@pwd (Incorrect syntax near '@pwd' error). With other parameters like table name or user name, it is more or less simple: allow letters, digits and underscores, validate using a simple regex and quotename it. With passwords you have to allow usage of strong chars. So should the password be cleared from certain characters like comma, space, etc or is there a better way?

Not a direct answer, but you can parametrize sp_addlogin:

exec sp_AddLogin @user, @password;

Or you can use SMO.