SQL injections are basically made possible whenever the user is inputting some data to your application - and you then use that data to form a SQL query. In other words - almost all applications are at risk. I mean - which web application doesn't allow for input - it might be in the form of a search textbox for example, and then you of course queries the database using a query based on the textbox value.
Let me give you one example. Let's say you have a login form:
<INPUT NAME="LoginId" TYPE="TEXT">
<INPUT NAME="Password" TYPE="Password">
<INPUT NAME="submit" VALUE="Submit" TYPE="SUBMIT">
So, if you are just using the Request variable for the LoginId and Password textboxes to form a SQL query against your database
string sSQL = "select name, id from usertable where loginid='" & Request["loginid"] & "' and password='" & Request["Password"] & "'"
your sql query might end up like "select name, id, isadministrator from usertable where loginid='a123' and password='thepwd'"
Fine, you might think. However - now lets say the user enters something like
' or ''='
What will your query look like now?
select name, id, isadministrator from usertable where loginid='a123' and password='' or ''=''
