Here are some recommendations for you:
1. Secure the Web Tier
You need to ensure that your application/website tier validates all user input before passing it on to the database layer. Rather than checking for invalid characters (quotations etc.), as there are potentially many, I recommend to my clients that they define a list of “valid” input values for their interfaces/forms etc.
2. Use Bound Parameters
In order to negate SQL Injection you need to ensure that any parameters that are passed to SQL calls are adequately bound.
3. Use Different Connections
Use different connections/logins for different tasks. I.e. the connection that is validating a user’s email address does not need to have update permissions to the database.I often recommend to clients that they use a connection/account with minimal privileges for all operations (i.e. logging a user into their system) unless otherwise necessary. Once a user has been authenticated they can be provided with access to/via another connection that has more privileges.
4. Use Stored Procedures
Use stored procedures to interact with your database rather than generating/building SQL dynamically.
Also take a look at the following Microsoft article: http://msdn.microsoft.com/en-us/library/ms161953.aspx
Hope this helps.
John Sansom (@sqlBrit
) | www.johnsansom.com