At the very basic level check the values that the user submits before you send them to the SQL Server and remove any single quotes and semi-colons. You may want to look at this <a href=”http://searchsqlserver.techtarget.com/tip/0,289483,sid87_gci1318837,00.html”>article </a>as well.
SQL injection is usually an issue when dynamic sql is being used in the Stored Procedures. ou can parameterize the queries and use the MSSQL procedure sp_executesql to run the query. This will protect against any SQL injection. If you are creating your statement on the fly (i.e. set @vs_sql = ‘Select something from table where field = ‘ + @field) then you will have issues. This isn’t the recommended way of writing the query.