How can I avoid SQL injection attacks in my ASP.NET application?

Question

I need to avoid being vulnerable to SQL injection in my ASP.NET application. How might I accomplish this?

Answer 1

Never trust user input - Validate all textbox entries using validation controls, regular expressions, code, and so on

Never use dynamic SQL - Use parameterized SQL or stored procedures

Never connect to a database using an admin-level account - Use a limited access account to connect to the database

Don't store secrets in plain text - Encrypt or hash passwords and other sensitive data; you should also encrypt connection strings

Exceptions should divulge minimal information - Don't reveal too much information in error messages; use customErrors to display minimal information in the event of unhandled error; set debug to false

Useful link on MSDN Stop SQL Injection