You can stop it if you do the things as per the third link in Ocean10000 reply above.
SQL Injection [msdn.microsoft.com...]
That is specifically Microsoft, but the principles are the same regardless of the technology.
Sanitize all input (form fields, query string parameters) server side. If it doesn't match what is expected refuse to send it to the database.
Use stored procedures with typed parameters.
Where the web site doesn't need to update data in the database, give it read-only permissions to the database.