I have received many questions regarding an earlier post on SQL Injection that I made; the most common question being: what permissions do I set to be safe?

The answer is simple really, give users as few permissions as possible while still giving them access to what they need. Now, how to do this is another matter but... here is what I recommend.

Step 1: No public roles

Don't give your user any role in the database other than the all inclusive "public" role. All others could give them access to tables that they have no need for and that could be exploited.
MS SQL Database User Properties
Step 2: Give user limited access

Now that you've removed all global permissions for the user you need to set what control they will have on specific tables. Be sure to set permissions for only the control they actually need.
MS SQL Database User Properties
Step 3: Peace of Mind

In theory step 1 and 2 should be good enough to limit permissions on a user, but... if you've been SQL Injected and are fed up with it then Step 3 can give you peace of mind about being attacked again (at least from this particular type of attack.)

Explicitly denying the user access to the sysobjects and syscolumns tables will prevent anyone using SQL Injection from getting the names of your tables and columns, and without that information they cannot execute any update statements against your database.
MS SQL Database User Properties