make sure all queries are parameterised like this:
sql = ("select * from contacts where contactid = @id")
Dim cmd As SqlCommand = New SqlCommand(sql, conn)
cmd.Parameters.Add("@id", SqlDbType.VarChar)
cmd.Parameters("@id").Value = id
I also include a usercontrol which checks the querystring for bad terms:
The list is long but this snippet should give you the gist of it:
Dim querystringvar As String = Request.QueryString.ToString
If InStr(querystringvar, "drop") Then
Response.Redirect("/errors/504.aspx)
ElseIf InStr(querystringvar, "select") Then
Response.Redirect("/errors/504.aspx)