Thanks for the feedback.

To avoid SQL injection:  always validate user input, use parameterized queries and sp_executesql, and limit the permissions of the ASPNET user on the server and within the database.

There are many ways to do these things, and you should choose the method that works best for you.  I've posted a couple of code samples above in VB and T-SQL.

In addition, limit the amount of data sent across the wire and hash or encrypt sensitive data on the wire, and in your database, when possible.  Again there are many methods of doing this, including AES Encryption, SHA-256/SHA-512 hashing, etc.

Thanks!