web2.0goodies.com

SQL injection is bad…  There are a number of causes, put most simply it is when you don’t use sql properly.  How do you prevent it?  There are several approaches, the absolute easiest is to configure your database to never allow more than one query per call.  Most hosting poviders do this already.  The other is to use an ORM and never ever compose sql queries from user input without using bind paramaters…  (While using an ORM isn’t required to prevent sql injection using one makes the whole world go round better, so just bite the learning curve bullet and use one.  Your productivity will go up atleast 100%)

xkcd has a wonderful commic that illustrates how sql injection takes place: http://xkcd.com/327/