ASP.NET MVC: Simple SQL Injection security

Question

I'm developing an ASP.NET MVC 3 app and need a way around SQL injections, something simple would be useful. I have followed Microsoft's article on the matter but it doesn't seem to match up with my code and structure.

Any help is greatly appreciated

Answer 1

To prevent sql injection:

Do not form any dynamic sql.

1. Use stored procedures (and do not include any dynamic sql in a stored proc - if you do make sure you use sp_executesql and not exec, as sp_executesql can take a parameterized query
2. use parameterized queries
3. use an ORM (ex. entity framework) which uses parameterized queries behind the scenes anyways.

try not to use any dynamic sql - if you must for some reason then make sure you use parameterized queries.

Don't just simply use dynamic sql and remove quotes from them - its a bit dangerous to assume that would be the only attack vector as some do.