Database Auditing
The ability to trace information flow inside a database, including connections, data updates, deletes, inserts and selects, execute of functions/ stored procedures and such.

Data Encryption
The data stored in database is plain text(ascii, unicode), or binary (blobs, images).

What can be encrypted with SQL Server 2008:
Login password
Stored procedure body
Udf functions
Triggers/ rules
Data packets with SSL

e.g.
SELECT ENCRYPT(column1, password)
FROM product;

password can be assigned to a variable
SET ENCRYPTION PASSWORD strPass;
(it is valid and effective in the duration of the session)

Functions for encryption and decryption with MS SQL 2008
ENCRYPTBYKEY, ENCRYPTBYPASSPHRASE



Marshal

SQL Injection
if user input "100 OR 'a'='a'" in the user_id field, the select statement could be:

SELECT FROM users WHERE user_id=100 OR 'a'='a';
it will expose all records

The solution is using parameters:

SELECT FROM users WHERE user_id=@param1
and assign the value from frontend to the paramters associated with the command.