The goal of a command injection attack is to execute arbitrary commands on the host operating system via a vulnerable application. These attacks are possible when an application passes insufficiently validated user supplied data (forms, cookies, HTTP headers etc.) to a system shell.
An SQL injection attack is the insertion of an SQL query via the input data from the client to the application. When successful, the injection can read sensitive data from the database, modify database data, execute administration operations on the database, recover the content of a file on the DBMS file system and in some cases issue commands to the operating system.
To stop command and SQL injections:
o Validate all user input
o Perform error handling
o Check return values and list sizes
o Use standard cryptography and hashing to secure sensitive information
o Do NOT store password (use SHA-256)
o Do NOT invent your OWN algorithm.
In many applications, users access the site anonymously without having to provide credentials. If so, your application accesses resources by running in the context of a predefined user. On Windows Server 2016 the NetworkService account is a predefined local account which is not recognized by the security subsystem and has minimum privileges on the local computer.
If your application is an intranet application, configure it to use Windows integrated security. That way, the user's logon credentials can be used to access resources.