Have you ever get any error message telling something's wrong with the SQL statement? If yes, you might consider attack the application in order to, say for example, increase your bank account balance.
While
SQL Injection is a well-known security vulnerability, there is still lack of some common practices or approaches to prevent such attack from happening. Before planning the method to avoid this kind of security vulnerability, I think
understanding the problem is more important. Besides, here are some advices
given by Eric Lippert on how to mitigate this general security problem:
1) Check for every place in the code that uses that user-supplied string
2) Use stored procedures to ensure that only the query that you want to run actually runs
3) Don't connect to the database as admin if you don't need admin privileges
4) Keep anything sensitive (e.g. db account, server name) that an attacker could use out of the source code
5) Avoid displaying detailed error messages that describe the internal state of the server
