Writing Secure Code, Second Edition
Summary
Database applications are incredibly common, and unfortunately, many of these applications are vulnerable to injection attacks. By following some simple rules, you can eliminate the risk of such attacks from your applications:
Do not trust the user's input!
Be strict about what represents valid input and reject everything else. Regular expressions are your friend.
Use parameterized queries not string concatenation to build queries.
Do not divulge too much information to the attacker.
Connect to the database server by using a least-privilege account, not the sysadmin account.