I'm trying to help a friend and know nothing of this. So here is what I got, hopefully someone can help!

To prevent SQL injections use stored procedures (unless you decide to use dynamic SQL within the stored procedure). However, this will not help the fact that you are using an Access database, as Chrishirst said. Using MS SQL, MySQL, DB2, Oracle, any of these please, instead of access, especially because it will store credit card information. Also, since I've seen so far scares MAKE SURE YOU ARE Encryption Credit Card Info IN THE DATABASE!

Can you tell us what this site is to not go there to buy something.