Addressing a few points that have been made in the thread:
First, use of stored procedures is not an automatic guarantee of safety from SQL injection errors, as it's possible for a stored procedure to create an SQL query dynamically.
Though it's easy to parameterize a query that includes "... WHERE ID = ?", you can't do the same thing for "SELECT a,b,c FROM ? WHERE ..." -- table names can't be replaced that way, so you have to build it dynamically.
I'm not much of a web programmer and I
have had to do this enough times that it seems to be a common enough practice.
The problem is that many people sanitize wrong by excluding known-bad characters
. This is dangerous unless you really seriously truly know everything about Unicode and international character sets - just asking for problems.
Better is to sanitize by including only known-good characters
, and for a table name it might be A-Z0-9_ - if the table name contains characters outside that range, it's rejected.
The side effect of this is that if you have incomplete knowledge of what should be included, your code will fail loudly but safely. Many databases allow for qualification with owner names, so a dot would be added to the list above, and attempts to use a table name with a dot will fail.
But this is far, far better than the penalty for getting the known-bad list wrong.
Second, I think that suggesting stored procedures for everything is a bit excessive - there are enough apps with a few modest queries that can be well served by making those apps self-contained and not having to create the SP in the database. It's a good practice, but not one to be slavish about.
Finally, there are frameworks that mostly take the SQL out of your hands, and I'm sure that .NET has such frameworks. You'll map out your data, and stuff like LINQ or other things generate the queries for you. These are probably safe.
But even a good framework will occasionally require a funky query created directly, and that's where you have to really be careful, as well as why .NET does not provide any universal and automatic protection against this kind of thing.
Stephen J. Friedl | Unix Wizard | Security Consultant | Orange County, California USA | my web site