How can I avoid SQL injection attacks in my ASP.NET application?

Question

I need to avoid being vulnerable to SQL injection in my ASP.NET application. How might I accomplish this?

Answer 1

Use parametrized queries and/or stored procedures and parse your parameters via SQL parameters. Never generate SQL code by concatenating strings. Also do some reading about SQL injection and about writing secure code, because preventing SQL injection is only a small part of security. There is many more (like XSS - Cross Site Scripting). If a hacker wants to compromise your site/application he will look for more then only SQL injection.