Never trust user input - Validate all textbox entries using validation controls, regular expressions, code, and so on
Never use dynamic SQL - Use parametrized SQL or stored procedures
Never connect to a database using an admin-level account - Use a limited access account to connect to the database
Don't store secrets in plain text - Encrypt or hash passwords and other sensitive data; you should also encrypt connection strings
Exceptions should divulge minimal information - Don't reveal too much information in error messages; use customErrors to display minimal information in the event of unhandled error; set debug to false
For more information please follow below link:
SQL-Injection-Attacks-and-Some-Tips-on-How-to-Prev