SQL Injection in a nutshell is an exploit where unhandled\unexpected SQL commands are passed to SQL Server in a malicious manner.
With the SQL Server Find and Replace Values in All Tables and All Text Columns script for SQL Server 2005, the malicious data can be identified and corrected with confidence.
Validate the SQL commands that are being passed by the front end
Validate the length and data type per parameter
Convert dynamic SQL to stored procedures with parameters
Remove old web pages and directories that are no longer in use because these can be crawled and exploited