SQL Injection is a method of hacking a website by entering SQL Commands into input fields, querystrings, etc. to try to manipulate the SQL statements being sent to and from a database. It has been my experience that a lot of smaller websites based on ASP and Microsoft Access are vulnerable to such attacks.
In general, the web developer should do the following to avoid SQL Injection Attacks:
1) Use parameterized queries or stored procedures to access a database as opposed to building sql statements on the fly (dynamic sql).
2) Limit the amount of characters in input fields (e.g. username and password fields) to a proper amount. (MaxLength = ??)
3) Validate text input for improper characters ( like ' ). For ASP.NET you would use RequiredFieldValidator and RegularExpressionValidator.
4) Do not display errors to the user that contain all kinds of wonderful hacking information like table names, fields, database drivers, sql statements, etc. Use a custom generic web page in ASP.NET.
For all those ASP and ASP.NET developers who want to protect their website from SQL Injection Attacks and other security related problems, I recommend reviewing the following article and Microsoft Webcasts:
SQL Injection Attacks - Are You Safe?
Protecting Your System From SQL Injection Attacks (Webcast)
Dave’s Top 10 Ways to Secure Your Web Application (Webcast)
The last one is a little more in-depth about website security in general, not just SQL Injection Attacks.