I want to have a "contact us" on my site such that a user can type in a textbox and when he clicks "submit" – it will be stored for later viewing by me.
Is there any danger of injection here?
The injection may happens on two places.
So if you save it an an sql server you save it using variables/parameters*, if you save it on an xml you save it using HtmlEncode.
When you see that data, if you see them on an html page use HtmlEncode, if you just read it in a text file, then no worry :)
[*] How To: Protect From SQL Injection in ASP.NET
More details for html Encode and Anti Cross Site Scripting Library:
http://msdn.microsoft.com/en-us/security/aa973814
http://msdn.microsoft.com/en-us/library/ff649310.aspx
Probably yes, but it depends on where you store your text.
If it's in an SQL data base, you have the risk of SQL injection for example. You should use you're environment's SQL escape function.
For example, with php + mysql you can use mysql_real_escape_string. Most technical environments provide a standard way to escape strings properly before persistence.
From a security point of view, our Web forms are naked and 100% vulnerable. We need to look at all the ways data is passed to them and test as appropriate:
* Form Fields
* URL Query Strings
* Cookies
* Database
* ViewState
The most prevalent forms of attack seem to be Script Injection, Cross Site Scripting and SQL Injection. As for SQL Injection, this can be mitigated against by using parameterized queries. It is the act of parameterizing the database queries that make stored procedures so resilient to attack. The other forms of script attack can be handled by downloading and using the Microsoft Anti-Cross Site Scripting Library in your Web application projects.