Injection Flaws

Definition:

Injection occurs when user-supplied data is sent to an interpreter as part of a command or a particular query. Attackers trick the interpreter into executing unintended commands via supplying specially crafted data.

Injection flaws allow attackers to create, read, update, or delete any arbitrary data available to the application. In the worst case scenario, these flaws allow an attacker to completely compromise the application and the underlying systems, even bypassing deeply nested firewalled environments.

Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application.

Protection:

Avoid the use of interpreters when possible. If you must invoke an interpreter, the key method to avoid injections is the use of safe APIs, such as strongly typed parameterized queries and object relational mapping (ORM) libraries like Hibernate, LLBLGEN.

These interfaces handle all data escaping, or do not require escaping. Note that while safe interfaces solve the problem, validation is still recommended in order to detect attacks. Using interpreters is dangerous, so it's worth it to take extra care.

• Input validation is a key for secure applications. In all topics you should consider INPUT VALIDATION. Use an "accept known good" validation strategy.

• Use strongly typed parameterized query APIs with placeholder substitution markers, even when calling stored procedures.

• Enforce least privilege when connecting to databases and other backend systems

• Avoid detailed error messages that are useful to an attacker. Don’t forget that attacker accumulate clues from your error messages.

.Net Overview:
As we mention above input validation is very important. Validation has two side server and client. Even you have scripts that validates input on client side, you can not trust the value. You have to check it with Regex class on server side. Because somebody can by pass your client side validation.

if ( !Regex.IsMatch(userIDTxt.Text, @"^[a-zA-Z'./s]{1,40}$"))
throw new FormatException("Invalid name format");

All of your ADO.Net work must be parameterized.

myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);

To protect your application from SQL injection, perform the following steps:

• Constrain input.
• Use parameters with stored procedures.
• Use parameters with dynamic SQL.

http://msdn.microsoft.com/en-us/library/ms998271.aspx