After attended the track by Clement Arul, went back home and tried to attack the portals in my company.
Check out this article – Stop SQL Injection Attacks Before They Stop You, it gives clear explanation on what is SQL injection.
Did some research on this topic, Microsoft Developer can easily lower the chances attack by SQL injection if use the correct way connect to DB for transaction.
How does SQL Parameter prevent SQL injection?
“Basically, when you perform a SQLCommand using SQLParameters, the parameters are never inserted directly into the statement. Instead, a systrem stored procedure called sp_executesql is called and given the SQL string and the array of parameters. When used as such, the parameters are isolated and treated as data, NOT commands, so what they contain can never be “executed”.” — By KeithS