> I intend to look at the data in the strings and see if it looks anything like a SQL command
How will you do this? The only certain way I can think of is having an extra copy of the database you're using with a little "dummy" data in it, and testing user input against that to see if it changes data it shouldn't. But that would be computationally expensive.
If you're checking with a regex or something, there's 1,001 ways to get around that.
There are guidelines for SQL injection prevention in .NET[1], but what you describe ain't them.
I do intend to look at more that .NET may have to check input.
One text box is supposed to have a whole number from 0 to 100. So, check that the string can convert to a number. If not, then the input is bad. Else, check that the number is an integer and between 0 and 100.
Another text box is supposed to have a URL. .NET may have a routine to check for a string being a legal URL.
Another text box is supposed to have just a text comment, and maybe this input would have the greatest risk. Here I am guessing to remove punctuation and leave just A-Z, a-z, and 0-9.
Then I will check my ADO.NET call where I insert a row in a table where that string is the contents of one of the columns in that row and be sure that the syntax of my ADO.NET usage is clear that even if the string is, say, "SELECT ALL" or some such, SQL won't see the user's data as part of my SQL command.
How will you do this? The only certain way I can think of is having an extra copy of the database you're using with a little "dummy" data in it, and testing user input against that to see if it changes data it shouldn't. But that would be computationally expensive.
If you're checking with a regex or something, there's 1,001 ways to get around that.
There are guidelines for SQL injection prevention in .NET[1], but what you describe ain't them.
[1]http://msdn.microsoft.com/en-us/library/ff648339.aspx