Database Encryption -- Sql Injection

["Dave Bergert" <dbergert () nobel-net com>]

Does any one have any comments on where best to incorporate Column level
encryption in a Database field?  At the Database Server level (via a
User Defined Function) or at the Application Level. Which would be less
impervious to SQL Injection?

I am on a MS-SQL 2000 and IIS Platform.

If I had a User Defined Function for example:
 Select decrypt(AccountNumber, "key")  from tblTable where User =
'someuser'

If SQL Injection occurs:
 Select decrypt(AccountNumber, "key")  from tblTable where User =
'someuser' or 1=1

In this case if SQL injection occurs the encrypted field will be
automatically decrypted by the UDF... Showing all accountNumbers...


If I had the Decryption handled at the Application:
 Select encryptedAccountNumber from tblTable where User = 'someuser'    

And had the application call:   
 AccountNumber = DecryptFunction (ResultSet ("encryptedAccountNumber" ),
"key")


If SQL Injection occurs, the only way data could be seen if through
whatever mechanism the application displays the AccountNumber 

(Are these scenarios identical ?)

I know that encryption is not a substitution for good input sanity
validation.
Which method would be better to implement?
Thanks for comments.


Regards,
Dave Bergert