In SQL databases,
anything following the quote ( ‘ ) is considered code. So, If we want to check if a website is vulnerable to SQL injection, we just need to type a single quote in the URL. The website may vomit an error saying argument is invalid SQL result resource or there is an error in your SQL syntax etc… This would prove the website is SQL injectable.
Besides the quote character, other characters can also be used to check SQL injection. Like, In case of Oracle, blank space, comma or double quote characters.
Preventing SQL injection
To protect against SQL injection, user input must not directly be embedded in SQL statements. Instead, parameterized statements must be used (preferred), or user input must be carefully escaped or filtered.
How To: Protect From SQL Injection in ASP.NET
protect mysql db :
protect Oracle db: