Use <cfstoredproc> along with <cfprocparam> to use prepared SQL statements and limit abuse of input parameters. If using <cfquery>, be sure to use <cfqueryparam>.
In Java, investigate all usage of java.sql.Statement to see if user-supplied data will ever modify the query intent. Generally never usejava.sql.Statement, but use java.sql.PreparedStatement orjava.sql.CallableStatement instead.
LDAP injection is also a possibility. Care should be taken when authoring LDAP queries. The use of a package which abstracts the creation of queries should be used.
Never use string concatenation in order to create a SQL query.
Make sure that you escape any potentially dangerous output before sending it from your applications to remote sources, such as a client browser or MySQL database. Remember to escape only filtered data. When using MySQL, use mysql_real_escape_string() for escaping output to the database.