How we can protect ASP.NET websites from SQL injection attack ?

You can avoid SQL Injection by using Parameterised qeries  or Stored Procedures.

Concern this linkThis will help you out

https://www.youtube.com/user/kudvenkat/search?query=injection

Validate the user input properly (Data Type).

Do not write query in your code instead of that use Stored Procedure with parameters 

there are three methods:

1-use parameters

2-Use stored procedures

3-validate all input

By using stored procedure and parameterized sql query you can prevent sql injection

1. DO NOT TRUST USER DATA. Sanitize all data going in and coming out of the database.

2. Use parameterized sql queries

If you have existing application and it uses queries without parameters you can add HTTP Module to validate all input controls values and query strings

Avoid inline queries, use stored procedures , use sql parameters

use Sql parameter for query instead direct use sql queries

Use stored procedures instead of directly using queries in controller

Use parameters with dynamic SQL. Constrain Input. You should validate all input to your ASP.NET applications for type, length, format, and range.