Recently we've received a number of emails to the firstname.lastname@example.org alias from users who's sites have suffered from sql injection enquiring whether DotNetNuke has any sql injection issues. The short answer is no. For sql injection attacks to work typically the code needs to execute dynamic sql i.e sql statements that are built up via concatentation and executed directly against the database or else within a stored procedure that executes the statement via EXEC or sp_execute. As a matter of policy we avoid using both those approaches and instead only use stored procedures with parameters, so default installations of DotNetNuke and any core modules are not vulnerable to sql injection attacks.
So far all the instances we've been aware of have tracked their problem to the recent automated sql attack that's been plaguing sites of all types and technologies (Microsoft have some good analysis of the problem here ), so if you're experiencing issues I'd recommend you check out any legacy sites and 3rd party modules.
There are a number of tools that can help mitigate sql injections, including code review tools and filters to stop typical injection attacks. Theres a good list of tools and capabilities here worth checking out here.