A good book should cover how to write secure code. You want one for the web rather than the desktop so I won't recommend the only book I know as this covers how to code securely for the desktop.
Tips:
SQL Injection
Use
parametrised queries to get around SQL injection. Do not use anything which strips SQL characters (such as apostrophes) out of a string. Not only is this not a complete work around but it means my name (O'Neill) is marked as invalid which makes me angry. This basically means you write a complete SQL statement which tokens in place of parameters:
Code:
INSERT INTO Customers (Name,LastName) VALUES (@firstName,@lastName)
Where @firstName and @lastName are the parameters.
You then assign the user given values to the parameters in whichever construct is provided for the task (I only know how to do it in .Net).
This will mean that whatever the user puts as their first name it will go into the database as entered. If you did a string concatenation then it would have executed any SQL they put in, this way it will copy it.
XSS Attacks
You'll need to research more on this but can I suggest to ensure all dynamic content on your system, especially any of which has come from a user, is
HTML encoded. This will convert any HTML characters into entities used to represent those characters (so & becomes & ) these are rendered fine in the browser but are not read as HTML thus preventing any user provided code from executing on your site
CSRF Attacks
Don't know much about this. So I'll get someone else to talk about it:
http://www.codinghorror.com/blog/200...s-and-you.html