Quote:
Sql injection attacks possible using resource(.resx) file.
SQL Injection is made possible when your queries are exposed to the code injection. It doesn't matter how you store the queries, rather how they execute. It is of no benefit if you store and load the SQL queries from a file, or even from a network, or store them in resource files, or in-memory, if the query is exposed to injection, it will be injected with code.
Think of the code, if you are concatenating the strings, like,
var query = "SELECT * FROM table_name WHERE primary_column = '" + variable + "';
It will not matter whether this query comes from a resource, network, or is hardcoded inside the program. You need to change this query, to prevent the injection.
Quote:
If sql injection is possible then how and where to maintain all sql queries.
You need to write the queries in a secure manner, such as use of parameters is encouraged. You should also consider, whether the user is able to modify any of these queries or not. Your program should take care of the queries that it executes.
Although every engine has its own security loopholes, you can search for an instance based documentation and recommendation on Google quite easily, but I would recommend you start from here,
SQL Injection | Microsoft Docs[
^].