Based on the (lackof) information you have provided... I cannot say for sure.



The best thing to do would be to perform a penetration test... ie, using a program like Nessus, Founstone's Foundscan, or even MBSA if you are using all microsoft. This will check for and attempt to hack in depending on your settings... for instance, Foundscan can do a non-instrusive scan which will just tell you if any cursory vulnerabilities exist... while an instrusive scan will actually attempt a brute force on a vulnerability if it finds one.



If you are using secure coding practices.. this is a good start.



There are many websites that will walk you through the SQL Injection technique... here is one that even shows a variation of your own example:

http://www.securiteam.com/securityreviews/5DP0N1P76E.html



However, you must also remember that SQL Injection is not the ONLY attack that can be run...



I would also suggest a multi-layered approach to your security. If you have the means, I would absolutely suggest hiring a security professional to perform both an internal and an external risk assessment on your business.



I also recommend checking out this website link...10 hacker tricks for exploiting SQL sites ;D

http://searchsqlserver.techtarget.com/tip/1,289483,sid87_gci1165052_tax301336,00.html?bucket=ETA



Good Luck

I write books about writing database applications. SQL injection is a real (and fairly common) issue. Yes, a hacker can attack your site by typing in certain phrases (which I do not divulge). There are ways to protect your application including making sure to manage all user input. One of my axioms: "All data is evil until proven innocent." This includes all data provided by users. So, when you accept a user name or password, make sure it does not contain "escape" or framing characters like single quotes. Make sure it is length restricted. There are other techniques that can be used for login names that are in my book (and several others). As for the other arguments you pass to SQL queries, make SURE you use parameters (ADO or ADO.NET Parameter objects). These shut down SQL injection attacks.



Contact me directly for more information or other sources.

in many circumstances sq. injection assaults fail through fact they rigidity an sq. syntax errors. the main physically powerful protection is to persist with a usual Expression on the enter records strings. in hassle-free terms characters and numbers are allowed and, reject if the enter string if it includes words like choose, DELETE, replace, etc Flood assaults could be extra complicated - i could advise unplugging the consultation if it exceeds a connection cut back - however the specifics are down on your sq. Server / internet Server mixture. Doing verification Server facet avoids hackers turning out to be and submitting their own varieties.