SQL Injection can be avoided using HTML encoding. Please find the list of characters which needs to be handled which getting user inputs especially in multi-line text boxes.
 | (pipe sign)
 & (ampersand sign)
 ; (semicolon sign)
 $ (dollar sign)
 % (percent sign)
 @ (at sign)
 ' (single apostrophe)
 " (quotation mark)
 \' (backslash-escaped apostrophe)
 \" (backslash-escaped quotation mark)
 <> (triangular parenthesis)
 () (parenthesis)
 + (plus sign)
 CR (Carriage return, ASCII 0x0d)
 LF (Line feed, ASCII 0x0a)
 , (comma sign)
 \ (backslash)
Their is always a chance of manupulating the SQL script as part of form inputs and also end user can prepare a request dynamically and hit the target url's. If we use the HTML encode and decode this can be avoided.
While getting the input values from the form and before processing that.
string data = HTTPUtility.HTMLEncode(Textbox1.Text)
While rendering the data to UI
Textbox1.Text = HTTPUtility.HTMLDecode(data)This is simple and one of the best practice to avoid SQL injection.