SQL Injection in .NET

Question

Hi I was wondering if anyone knew of some good websites detailing prevention for SQL injection for .NET web applications. Any resources would be greatly appricated, thank you.

Answer 1

• golden rule: never concatenate user input
• if you write your own command strings in .NET, use the Parameters collection
• if you use LINQ, it will usually do it for you
• if you write commands in TSQL, use sp_executesql or your vendor's equivalent