One of the basic tenets of secure coding is that ALL input is EVIL and should be validated and sanitized before being allowed into the application. This is also definitely an area where a lot of mistakes can be made.
The PAG folks have written a set of modular How-To's to tackle the finer points of injection attacks and as such implement effective input validation in your ASP.NET Applications. The guidance covers both .NET 1.1 and 2.0.
Check them out:
Very important information…read it, and live it.