How To: Protect From Injection Attacks in ASP.NET

• SQL injection. If you generate dynamic SQL queries based on user input, an attacker could inject malicious SQL commands that can be executed by the database.
• Cross-site scripting. Cross-site scripting (XSS) attacks exploit vulnerabilities in Web page validation by injecting client-side script code. This code is subsequently sent to an unsuspecting user's computer and executed on the browser. Because the browser downloads the script code from a trusted site, the browser has no way of determining whether the code is legitimate.
• Unauthorized file access. If your code accepts input from a caller, a malicious user could potentially manipulate your code's file operations, such as accessing a file they should not access or exploiting your code by injecting bad data.