How can I avoid SQL injection attacks in my ASP.NET application?

Question

I need to avoid being vulnerable to SQL injection in my ASP.NET application. How might I accomplish this?

Answer 1

Scott Guthrie posted a decent little article about this a while back. In it, he offers 5 suggestions for protecting yourself:

1. Don't construct dynamic SQL Statements without using a type-safe parameter encoding mechanism. [...]

2. Always conduct a security review of your application before ever put it in production, and establish a formal security process to review all code anytime you make updates. [...]

3. Never store sensitive data in clear-text within a database. [...]

4. Ensure you write automation unit tests that specifically verify your data access layer and application against SQL Injection attacks. [...]

5. Lock down your database to only grant the web application accessing it the minimal set of permissions that it needs to function. [...]

He does a decent job of explaining why these are important, and links to several other resources as well...