At the very basic level check the values that the user submits before you send them to the SQL Server and remove any single quotes and semi-colons. You may want to look at this article as well.
SQL injection is usually an issue when dynamic sql is being used in the Stored Procedures. ou can parameterize the queries and use the MSSQL procedure sp_executesql to run the query. This will protect against any SQL injection. If you are creating your statement on the fly (i.e. set @vs_sql = ‘Select something from table where field = ‘ + @field) then you will have issues. This isn’t the recommended way of writing the query.