Alykins speaks truth: Stored procedures used with parameterized queries (normal usage in ASP.NET) are the *BEST* way to avoid SQL Injection attacks.
Also, a properly designed SQL Server system that exclusively uses Stored Procedures for queries from ASP.NET (or any other client) provides the strongest possible data protection in many other ways.
For example, as a database administrator, you can import data and create and drop tables, create and drop indexes, etc., etc. And then you can create a *separate* user--the user account that ASP.NET will utilize--that has *ONLY* permission to execute stored procedures. And you can write the stored procedures to allow *ONLY* the actions you want to permit ASP.NET to perform. So even if some SQL Injection attack did succeed, it would not have permission to do all the really nasty things, such as drop tables and/or databases, because you don't have any Stored Procedures that will do those things.
An optimist sees the glass as half full.
A pessimist sees the glass as half empty.
A realist drinks it no matter how much there is.