I have to fix a project that is vulnerable to SQL injection.

All the forms in every page on the project do not use parametrized query but simply string query.

For example I have the search page, and looking at the code behind I see that there is a method CreateQuery() that creates the query basing on the text fields as example:

string sQuery = "";
sQuery += "b.name like '%" + txtName.Text + "%'";

Then in the btnSearch_Click() I have the method that does the query:

query = CreateQuery();
var totalList = GetAllBlaBla(query);

My question is:

Since I have hundreds of forms and thousands of formText and values to FIX, is there a “quick” solution to implement like

1. A global function that parametrizes the query or handle the situation in some way?
2. Since in every class the query is executed in the SubmitButton_Click() code behind method, can I handle the situation here, of course in every class?
3. Should I modify every form and every entry in the form codebehind to parametrize the SQL string, that is gonna take one million of years?

4. (Edit) What about Encode/Decode input values? SO that the example above will be:

   string sQuery = "";
   var txt = var txt = HttpUtility.HtmlEncode(txtName.Text);
   sQuery += "b.name like '%" + txt + "%'";
   

   Is this a possible temporary patch?

5- (Edit) Is this a possible solution, or it simply does not change anything?

        cmd.Parameters.Add("@txtNameParameter", SqlDbType.VarChar);
        cmd.Parameters["@txtNameParameter"].Value = txtName.Text;
        sQuery += "b.name like '%" + (string)cmd.Parameters["@txtNameParameter"].Value + "%'";

The problem is that I have to return a string because the logic that handles the query is defined in another business class that takes a string as a query, I cannot give it a CommandType or SqlDataAdapter…

Suggestion?

Thanks in advance.