Without knowing how your form works, it is difficult to answer, but the basic rules are: never ever concatenate strings to form SQL commands - always use parametrized queries. I don't know how you are doing yours, but in C#, you would replace:
SqlCommand cmd = new SqlCommand("INSERT INTO myTable (textColumn) VALUES ('" + myTextBox.Text + "')", con);
With
SqlCommand cmd = new SqlCommand("INSERT INTO myTable (textColumn) VALUES (@TX)", con);
cmd.Parameters.AddWithValue("@TX", myTextBox.Text);