SQL injection remains the #1 web application vulnerability. Here's your defense checklist.
Rule #1: Parameterized Queries
NEVER concatenate user input into SQL strings. Use prepared statements / parameterized queries in every language: WHERE id = ? (not WHERE id = ' + input + ').
Rule #2: Input Validation
Validate type (expect number? Reject strings). Validate length (username shouldn't be 10,000 characters). Whitelist allowed characters when possible.
Rule #3: Least Privilege
Your web app's database user should NOT have DROP TABLE or DELETE permissions unless absolutely necessary. Create read-only users for read-only operations.
Testing
Try entering ' OR 1=1 -- in your own form fields. If anything unexpected happens, you have a vulnerability. Use sqlmap for automated testing.