It seems to me you would want to do two things here as there are two
different problems:
Check all of your SQL code to ensure that you are using parameterized
queries
Verify that your input contains only valid input based on what is being
requested
Parameterized queries in ADO.NET will prevent SQL injection attacks. If you
are building queries by creating SQL strings on the fly, then you should
concentrate on fixing that first. You can still use parameterized queries
without stored procedures if you don't want to or can't use them.
The next thing you want to do is ensure that your input conforms to what it
should be. This will help prevent all sorts of other attacks besides SQL
injection such as Cross Site Scripting.
Validating input should be done based on what is allowed, not based on what
is not allowed, so trying to look for signs of SQL injection in your inputs
is the wrong way to go.
Regular expressions are excellent tools for validating input, but they are
"domain dependent", meaning that no one regular expression can validate any
random text. It depends on what is required.
http://www.regexlib.com/ is an excellent source of regular expressions,
especially for .NET.
The bottom line is that you need to carefully validate input AND make sure
your database code is not suceptible to SQL injection. You shouldn't just
do one or the other. Read "Writing Secure Code" and/or the "Code Secure"
column on MSDN for more info.
HTH,
Joe K.
