This is a very important issue to consider when you're using form/url variables in databases. A user can cleverly put in SQL statements and manipulate your db server as he sees fit if you don't take the necessary precautions. I get the feeling that there are several people that aren't aware of this when they develop their apps. I crashed a page from jumptheshark.com a while back doing this and I e-mailed them about their bug. They seemed to fix it the next day but I never got a thank you!

Here are some quick tips:
If expecting integer, on script, check if it's of type int, and check if it's within boundary of integer - if it's expecting numbers from 1-20, then just make it within this boundary, if larger or less than this boundary, take necessary action.

Also check that your integers/reals that your script is expecting from the user are less/greater than than large integer/reals or whatever the max/min of the language you're using... sometimes a big or small enough number can cause the page to crash.

Strings - if its a value from a list box, only error check for those values on script... if anything else, take necessary action. If it's a string the use has to put in, check if the first chars are: ' or " or ; - also replace all <>"& with their html entities.

Here's a good document:
http://www.webmasterbase.com/article/794

nice find..

although, if you just add ' to a field, I doubt anything will happen, as most sql updates have fixed isssues such as this one?

not to mention, take a read at the comments of this article. quite interesting

Even if you add the apostrophe, you can still cleverly do an injection. I did a forum a while back in PHP, and a friend of mine was still able to manipulate some fields even though I did this. Just thought I'd mention it.