Other possible ways for SQL injections?

Question

I have an ASP.NET page running in SSL and the checking happens in the code-behind.

I've done the following to prevent sql injection:

1. Included RegEx to filter out unnecessary/hazardous characters (basically, it now only allows 0-9, az, and AZ).

2. Using queries which would look something like "SELECT * FROM table WHERE username = @Username...".

3. I've also added account lockout so you only have a limited tries available.

After the IBM AppScan to test the vulnerabilities, it seems I've only fixed the Blind SQL Injection and not the Authenticated Bypass.

Is there anything that I've missed that's causing me to fail the vulnerability test?

UPDATE:

...

bool bUser = FilterInput(txtUsername.Text);
bool bPass = FilterInput(txtPassword.Text);

// check for restricted characters
if (bUser && bPass)
   Response.Redirect("Login.aspx");
...

public static bool FilterInput(string text)
{
    // check if string contains only letters and numbers
    return (Regex.IsMatch(text, @"^[a-zA-Z0-9]+$"));
}  

anything not within the a-zA-Z0-9 characters should throw a 'false' and would cause the page to redirect/refresh the login page.

The DB queries are all using parameterized queries and the login works correctly. no problem about that part.

Answer 1

Drop the first thing that you did and just use SqlCommand.Parameters as explained below:

SQL Injection vs. Lethal Injection / Protection Against SQL Injection

I always use multiple Connection Strings in order to access a database and each of them has different roles: reading , writing , execution . When you do that, you make sure that if the attack is being made successfully on a read action, the attacker cannot do someting other than reading (which is still bad but better than modifying)

Answer 2

Apparently there were 2 DB queries on the code the wasn't updated into parameterized queries.

Parameterized queries were enough to prevent SQL injection so the other steps/features are a bit of an overkill.