To prevent SQL-injection attacks,
- never use string concatenation to build a SQL command,
- always use the SqlCommand class (or OleDbCommand class, etc) with parameterized commands.
- if possible consider using stored procedures.
These are some of the common answers in the ASP.NET forums.
All relational databases are vulnerable to SQL-injection attacks. The primary reason for SQL-injection attacks comes through Web applications that combine user input with dynamic SQL to form SQL commands that the application sends to the database.
Bertrand LeRoy's article Please, please, please, learn about injection attacks! explains about Injection attacks in a lucid manner.