Additionally, for new projects as well as old projects, we
can maintain the following best practices to avoid the attack.
1. Use escape character routines to handle special
characters
2. Use stored procedures rather than dynamic query where
possible
3. Use parameterized query incase of dynamic query
4. Use HtmlEncode and decode techniques to show html data
where possible
5. Use a least privileged database account- only stored
procedure will have the permission for update/insert and script will have only
read permission.