使用ASP.net和Access数据库保护SQL Injection的网站

我目前有一个正常注册和登录的网站,用ASP.net编码.
我正在使用Access数据库,同时使用我的朋友编写的C#类来处理大多数数据库操作(executeQuery,executeRead,isExits ……).

现在我已经差不多完成了我的网站构建,我想开始添加安全性 – 主要是我的数据库.我已经搜索了一段时间的关于这个主题的教程,但我找不到任何好的东西,一篇旧的微软msdn文章,我无法真正得到它的代码工作.
我现在得到的最远的就是不允许用户名和密码中的任何危险字符(例如’,–,;),但它感觉好像是我可以使用的更糟糕的解决方案(为什么不应该我的用户是否使用此字符？).

我认为我发现的最佳解决方案是在声明它之后以某种方式将变量插入到查询字符串中(与“WHERE username = @ user”或类似的东西有关),但我无法使用它访问和使用我的oleDBManager.

这是我目前的注册码. handle()从字符串中删除所有’,Validate()检查字符串中的危险部分.

string username = user.Text;
        string password = pass.Text;
        bool isThingy = false;
        if (handle(ref password)) isThingy = true;
        if (handle(ref username)) isThingy = true;

        if (username != "" && username != null)
        {
            if (password != "" && password != null)
            {
                if (Validate(username,password))
                {
                    if ((db.IsExist("SELECT * FROM Table1 WHERE username='" + username + "'") == false))
                    {
                        int a = db.ExecuteQuery("INSERT INTO `Table1`(`username`,`password`,`logins`,`email`,`fname`,`lname`,`country`,`city`,`birthday`,`userid`) VALUES ('" + username + "','" + password + "','0','','" + Convert.ToString(Convert.ToInt32(db.ExecuteCellRead("SELECT MAX(userid) FROM Table1")) + 1) + "');");

                        if (!isThingy) errorLabel.Text = "Your user has been successfully registered";
                        else errorLabel.Text = "The ' token is invalid. your user was registered absence the '.";
                    }
                    else
                        errorLabel.Text = "This username is already taken";
                }
                else errorLabel.Text = "Invalid name format";

            }
            else errorLabel.Text = "Please enter a password";
        }
        else errorLabel.Text = "Please enter a user name";

对于oleDBManager(在我的代码中命名为db)：

private OleDbConnection link; // The link instance
    private OleDbCommand command; // The command object
    private OleDbDataReader dataReader; // The data reader object
    private OleDbDataAdapter dataAdapter; // the data adapter object
    private DataTable dataTable; // the data table object
    private string dbName; // the Database filename
    private int version; // the usersTableG office version
    private string connectionString; // the connection string for the database connection
    private string provider; // the matching driver string for the connection string
    private string path; // the path to the database file


...


    public int ExecuteQuery(string query)
    {
        this.link.Open();
        int rowsAffected;
        // ---
        this.command = new OleDbCommand(query,this.link);
        try
        {
            rowsAffected = this.command.ExecuteNonQuery();
        }
        catch (InvalidOperationException e)
        {
            if (e.Data == null)
                throw;
            else
                rowsAffected = -1;
        }
        finally
        {
            this.command.Dispose();
            this.link.Close();
        }
        // ---
        return rowsAffected;
    }

    public bool IsExist(string query)
    {
        this.link.Open();
        // ---
        this.command = new OleDbCommand(query,this.link);
        this.dataReader = this.command.ExecuteReader();
        bool a = this.dataReader.Read();
        // ---
        this.command.Dispose();
        this.link.Close();
        // ---
        return a;
    }

    public string ExecuteCellRead(string query)
    {
        string output = "";
        this.dataTable = this.ExcecuteRead(query);

        foreach (DataRow row in this.dataTable.Rows)
        {
            foreach (object obj in row.ItemArray)
            {
                output += obj.ToString();
            }
        }

        return output;
    }

因此,正如您可能看到的,主要问题是用户现在无法使用字符”.
它假设最好的解决方案是在SQL查询中使用@变量,但我不知道如何.

[谢谢你的帮助]
PS.我已经改变了我的桌子的名字;)

编辑：大多数人都告诉我使用这些参数化查询,但如果你能给我一个如何使用它们的例子会很好,因为我从来没有这样做过

所以,感谢@Remou,我的FINAL代码是：

db.DoWeirdStackOverFlowStuff(
    "INSERT INTO `Table1`(`username`,`logins`) VALUES (@username,@password,'0');",new string[] { "@username","@password" },new string[] { username,password });

和

public int DoWeirdStackOverFlowStuff(string query,string[] vars,string[] reps)
    {
        this.link.Open();
        int rowsAffected;
        // ---
        this.command = new OleDbCommand();
        this.command.CommandText = query;
        this.command.CommandType = System.Data.CommandType.Text;
        this.command.Connection = this.link;

        //Parameters in the order in which they appear in the query
        for (int i = 0; i < vars.Length; i++)
            this.command.Parameters.AddWithValue(vars[i],reps[i]);

        try
        {
            rowsAffected = this.command.ExecuteNonQuery();
        }
        catch (InvalidOperationException e)
        {
            if (e.Data == null)
                throw;
            else
                rowsAffected = -1;
        }
        finally
        {
            this.command.Dispose();
            this.link.Close();
        }
        // ---
        return rowsAffected;
    }

无论谁需要这个=]

UPDATE INTERNETSETTINGS 
       SET url = [@url],databasename = [@databasename],port = [@port],username = [@username],[password] = [@password]

OleDbCommand Command = new OleDbCommand();

        Command.CommandText = "UpdateUser"; //saved query
        Command.CommandType = System.Data.CommandType.StoredProcedure;
        Command.Connection = cn; //a connection to the database

        //Parameters in the order in which they appear in the query
        Command.Parameters.AddWithValue("@url","a"); //a,b,c etc for my test run
        Command.Parameters.AddWithValue("@databasename","b");
        Command.Parameters.AddWithValue("@port","c");
        Command.Parameters.AddWithValue("@username","d");
        Command.Parameters.AddWithValue("@password","e");

        Command.ExecuteNonQuery();