What's the best practice to prevent malicious hacker from entering inappropriate input?

Hi, I'm using VS2013, asp.net web form and C#.

I have a textbox in this form that users can enter some text which I would use as a key to submit to an API call to retrieve some data back from a database.  What's the best practice I should have in my Asp.net or C# code prevent potential malicious input like sql or scripting as input?

Thank you.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mark BullockQA EngineerCommented:
To prevent sql injection, use bind variables with prepared statements.
To prevent cross site scripting, URL encode user entered data wherever you display it or use it in a URL.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jacques Bourgeois (James Burger)PresidentCommented:
Limit the amount of text that can be typed in the TextBox to the size of the field that you are working with.

Inspect the typed string for superfluous characters that have nothing to do with your data but can be used in a SQL command, such as semi-colons and wildcards that are often used in SQL injection.

Pass the typed information as a parameter to a parametrized query or stored procedure instead of building the SQL through concatenation.  Parameters cannot be executed the way straight text can be.
lapuccaAuthor Commented:
By default, in my asp.net web form project, the validateRequest is set to false.  Should I change this to True?

To prevent sql injection, use bind variables with prepared statements.  -  How to do this?  Any example url?

Thank you for input so far.
Mark BullockQA EngineerCommented:
lapuccaAuthor Commented:
Thank you.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.