Restrict semicolon to prevent SQL injection?

Use parameterized queries (or stored procedures) and avoid dynamic SQL like the plague.

I suggest using built in library functions instead of trying to write your own anti-injection code.

A naive implementation will strip out ; even if it should be used (say as part of a passed in VARCHAR or CHAR parameter, where it is legal). You will end up having to write your own SQL parser in order to accept/reject queries.

You can read here more about dynamic SQL and the problems it presents (and solves).

No it does not prevent sql injection attacks. Any time you're dynamically constructing SQL either in the client side, or with the EXEC inside a stored proc, you are at risk.

Parameterized queries are the preferred way to get your input into query.