An injection attack is when you insert code in a manner the application developers did not expect.
Example: your text box populates @Parameter to do a lookup on a table. An attacker overloads @Parameter to perform some unexpected operation.
Another way of thinking about injection attacks: getting "outside" the parameter.
SQL injection is not the only injection attack available.
Because of how easy it is to stop SQL injection, your application being susceptible indicates that you may have bigger problems, like:
There is one and only one way to protect yourself against SQL injection: parameterize your queries.
To learn how to do this for non-ASP.Net solutions, go to http://bobby-tables.com.
To learn more, go here:
Catallaxy Services consulting: