Paul Litwin has posted some good points to help prevent SQL Injection attacks. View his article at http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/default.aspx.