Principle Implementation Never trust user input Validate all textbox entries using validation controls, regular expressions, code, and so on Never use dynamic SQL Use parameterized SQL or stored procedures Never connect to a database using an admin-level account Use a limited access account to connect to the database Don't store secrets in plain text Encrypt or hash passwords and other sensitive data; you should also encrypt connection strings Exceptions should divulge minimal information Don't reveal too much information in error messages; use customErrors to display minimal information in the event of unhandled error; set debug to false