Michael Coles wrote a nice little tips article for SQLServerCentral.com on doing your best to fight SQL Injection.

As a developer you probably already have many little tricks in your toolbag to fight these pesking predators. It certainly doesn’t hurt to see another coder’s ideas.

Here’s a quick exerpt -

For many years now, SQL Injection attacks on large corporate websites have been highly publicized. Several articles around the Web have described what an injection attack is, how it works, and the basics of how to defend against it. A couple of very good articles here at SQL Server Central also delve into this topic (SQL Injection by Christoffer Hedgate and SQL Injection - Part 1 by Randy Dyess).So why did I feel the need to write another article on SQL Injection? For three reasons:
1. The good work by Mr. Dyess and Mr. Hedgate offer code samples and examples for ASP. I felt that a sample pertaining to ASP.NET, for those without the ASP background, was in order.
2. These two authors focus on using parameterized queries; and in the case of Mr. Hedgate, validating user input. Excellent advice all around, but I feel there are other lines of defense which should be addressed as well.
3. Finally, no matter how many SQL Injection articles are posted around the Web, DBA’s and developers continue to post highly exploitable code samples to newsgroups and discussion boards.
In this article, I hope to build upon the good work of Mr. Hedgate and Mr. Dyess, and provide updated samples as well as a more complete defensive strategy for dealing with SQL Injection.

Get Michael’s full Update SQL Injection article here.