I am getting the visitors ip with this method Request.UserHostAddress.ToString()
Are there any chance that it can be spoofed or used for sql injection. What are the risks and possibilities. thank you.
asp.net 4.0 , c# 4.0 , IIS 7.5
No. The IP is from the socket with the web server. It can not be spoofed (for more then one request). If the IP was spoofed, the client could only send a request to the server and would never see the reply.
I can not see how it can be used in a SQL injection, even if it was used directly in your SQL statement. It is an IP-address even if it was fake, and could not be SQL code.
Summary:
Spoofing: If the user has to navigate in your site (make more then one page-call). Then his IP needs to be correct (not spoofed).
Injection: The user can not put just any value into UserHostAddress: it needs to be an IP-address, and therefore can not be harmful if injected into your SQL statement.