So far this has been my favorite intro to a video. But it is true that there are hackers out there and this video shows some of the techniques that people are using (this one is centered around exploiting SQL injection). I found it quite accurate and shows why user input is bad (back to HTML 1.0 for me!)

http://www.rockyh.net/AssemblyHijacking/

I don't know if I agree with his last point that strong naming the assembly would have fixed this issue. I remembered reading some stuff a long time ago about how to get around this. Granted it adds another layer of security but once you have access to one dll that you can reverse engineer and change you would technically have access to the application that calls the changed assembly anyways. If I find some time I am going to play with hacking up strong names and see how good / bad / ugly they are in this scenario.

I would like to also point out that you should have your SQL issolated from the internet on an internal network

                     123.456.789.22           192.168.1.4
Internet ------> Web Server --------> SQL Server

This way the SQL Server itself does not have access to the internet (only the web server). It costs more but is a great way to curcumvent (or at least make it a lot harder) for someone to perform the kind of attack in Rockies video. I would also recommend having some sort of firewall device between the web and sql server that only allows SQL queries in and out to further lock it down.