SQL Injection filter method for ASP.NET

Question

I've got fields that are free-form text and allow just about any combination of numbers/symbols. What's the best way to validate these to prevent SQL Injection? Can I run a simple replace of tick marks? Is there a method out there I can plug in to use?

Answer 1

Just use parameterized queries! Check out this article here: http://www.functionx.com/aspnet/sqlserver/parameterized.htm

Answer 2

There are various methods outlined here: How To: Protect From SQL Injection in ASP.NET

quote:

Countermeasures include using a list of acceptable characters to constrain input, using parameterized SQL for data access, and using a least privileged account that has restricted permissions in the database. Using stored procedures with parameterized SQL is the recommended approach because SQL parameters are type safe. Type-safe SQL parameters can also be used with dynamic SQL. In situations where parameterized SQL cannot be used, consider using character escaping techniques.

Validation controls can help, though run them server side, not client side. ASP.NET does have some protection built in also, but I wouldn't rely on it alone.