Fellow MVP Steve Kass and Microsoft's Buck Woody have some links and advice about preventing SQL injection attacks not only from affecting your data but also from affecting your users. You can see the information here:
I agree with Steve wholeheartedly here. Having your data compromised is one thing… you learn from it, you fix it, you move on. But aiding in the distribution of whatever payload is in all of these <script> files that you are unwittingly unleashing on your viewers is something you should try to avoid at all costs. Unless you are storing your actual HTML content and layout in the database (which is usually a no-no), there is no reason you should ever blindly throw data from the database into a web page without first making sure that all HTML tags (like <BR>) are replaced with characters that make them non-rendering (like <BR>).
Another excellent resource is the following article: