Finextra reports that SQL injection attacks against banks are skyrocketing.
I can't tell you how many times I've seen various data-driven sites fall over when I (innocently enough, I swear) enter text containing quotation marks. I wince every time I see something like:
Invalid syntax near '''.
This generally indicates that the code behind the site is concatenating strings in order to form SQL queries, and that the developer didn't properly safeguard against malformed input. Not only does this cause non-malicious queries like mine to blow up, it also indicates that the site is vulnerable to SQL injection attacks, which allow a malicious user to run arbitrary SQL statements against the database. This could be used for malicious DML, like:
SELECT CreditCardNumber FROM Customers
Or even for malicious DDL, like:
DROP TABLE Customers
The severity of what is possible really depends upon the account that is being used for database access. This account should be a least-privileged user account, but often it is a high-powered admin account, so a lot of bad things can happen.
We provide extensive guidance on how to avoid SQL injection attacks in this "How To" article from Microsoft Patterns & Practices. The classic Writing Secure Code by Howard and LeBlanc also covers this topic very well. In short, developers need to take a "defense in depth" approach to this problem, beginning at the UI, repeated in the middle tier, and finally safe-guarded at the database level thru the use of a low-privileged account.
Bottom line, there's no magic bullet, but approaches for protecting against SQL injection attacks are well-known and well-documented.