In myPrevious article, we have already learn about SQL injection attack. We saw that if we use Text Box for retrieving data from the database then other queries also perform with the same database. So, Microsoft provide, Parameterized query for DML and DQL statements. Like
Replace this statement with the parameterized query
Direct Interface with TextBox (SQL Injection Attack Possible)
cmd.CommandText = "Select * from [TableName] where name='"+TextBox1.Text+"'";
Resolve this problem by the parameterized query
cmd.CommandText = "Select * from [TableName] where name=@name1";
cmd.Parameter.AddWithValue("@name1",TextBox1.Text);
Replace this statement with the parameterized query
Direct Interface with TextBox (SQL Injection Attack Possible)
cmd.CommandText = "Select * from [TableName] where name='"+TextBox1.Text+"'";
Resolve this problem by the parameterized query
cmd.CommandText = "Select * from [TableName] where name=@name1";
cmd.Parameter.AddWithValue("@name1",TextBox1.Text);