In addition to the answers by Griff and Mark: see this:
http://en.wikipedia.org/wiki/SQL_injection[
^].
Now, about using Griff's advice on cryptographic hash algorithm. I need to add a warning against using MD5.
First of all, the password is never stored anywhere. Don't you see that storing of the password is wrong and totally insecure?
You never need a password in its original form authentication. On of the usual and simple techniques is using a
cryptographic hash function of a password. You store only a password hash in your database, calculate a password hash based on the user input each time the user tries to authenticate, and compared newly calculated hash value with the hash value stored in your database. A good hash function is practically infeasible to invert, so no one can calculate the original password even having the full access to the database.
Please see:
http://en.wikipedia.org/wiki/Cryptographic_hash_function[
^].
Don't use MD5 for any security: this algorithm is considered broken, please see:
http://en.wikipedia.org/wiki/MD5[
^].
Instead, you can use one of the
Secure Hash Algorithms (SHA):
http://en.wikipedia.org/wiki/SHA2[
^].
The classes implementing those algorithm are available in .NET:
http://msdn.microsoft.com/en-us/library/system.security.cryptography.hashalgorithm.aspx[
^].
If you want to perform calculation of the cryptographic hash function in .NET only, it means on server side only, it means that the original password should still be passed through the network, so a spy can pick it up. Therefore, save authentication should only use secure HTTPS protocol, not HTTP.
Please see:
http://en.wikipedia.org/wiki/HTTPS[
^].
—SA