Are sql query command strings secure in ASP.NET?

I understand a hackers reasoning about wanting the login to my sql server. It makes them able to get direct admin access to the sql server but it is just as difficult to grab the login from memory as it would be to grab the SQL query string, and I would assume just as simple for that same hacker to change the query before it posts back to the server. Sadly there isn't much difference between admin access and a query through an admin login given you know the most basic SQL. "without a database connection" They have database connection already, everyone has to have a database connection to check their login and pass against the database, even when it is incorrect, which is another best pratice to put the usernames and passwords in the database. So my point is, access to SQL queries through an admin account yields the same security risks as direct admin access to the server, therefore, what is the point of encrypting your login in the web.config file if they are just going to have access to your queries in the code behind page that I already know is not secure since Microsoft tells us directly anyone can view the code behind page and/or change it. "hardly a security risk" Access to queries is a grave security risk especially when that connection has full access which as you pointed out is very often not to mention a must for any add, change, delete program, and it is only slightly less risky to a connection that has read only access always with the obvious unrevokable ability to run read-only queries like "SELECT * FROM... Hackers have used the same or related security hole for years to get at data from all the other frameworks so what can I do to stop this in .NET or am I to simply assume these same hackers will stop trying to get it at data? Thanks for the reply. timothymburke@hotmail.com -- modified at 13:55 Tuesday 20th June, 2006

I have a question about ASP.NET security. We learned in the advanced ASP.NET class not to put our username and password in our code behind page because a hacker could get to it there. They said as a good security practice we should put it in the web.config file, encrypt it, memorize the password, and lock the server room door, but what about our sql commands or query strings? If in our code behind page we have the query:

SELECT * FROM SQLUSERDATA WHERE USER = txtUSER.Text AND PASS = txtPASS.Text

What stops a hacker from getting to the string in memory and changing it to:

SELECT * FROM SQLUSERDATA

to return all the usernames, passwords, addresses, etc. from our database. I'm assuming if they can get to the sql connection string to steal the password when it is in the code behind then they can just as easily get to sql query command string. I am trying to put the command string for my sql query into web.config then pull in the username and password from the webform but cannot use varibles in the string because web.config does not see my webform objects. I googled for hours but could only find help with the connection string which everyone knows how to do by now, and doesn't need varibles from the webform. How do I make the following code work in the web.config:

SELECT * FROM SQLUSERDATA WHERE USER = txtUSER.Text AND PASS = txtPASS.Text

or what would be the most secure way to hide my query string from hackers? Thanks! timothymburke@hotmail.com