softty - 8:23 am on Dec 8, 2011 (gmt 0)

@Jon_King if you at any time use Request.QueryString like this, then your site is open

"Select * from Tabel where Id=" + Request.QueryString["id"]; + ";

Use this instead

string lid = Request.QueryString["id"];
string conn = ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString;
SqlConnection MyConnection = new SqlConnection();
MyConnection.ConnectionString = conn;
MyConnection.Open();
String MyString = @"Select * from Tabel where Id=@id";
SqlCommand MyCmd = new SqlCommand(MyString, MyConnection);
MyCmd.Parameters.Add("@lid", SqlDbType.VarChar);
MyCmd.Parameters["@lid"].Value = id;

And the same goes for every text boxes, don't insert directly into your sql string from queryString, text boxes or any other thing.

@freejung to see what it decodes into check out this thread [isc.sans.edu...] (I didn't wanna copy the code) ;o)