<div>
<div class="content wysiwyg-content">
As title.<br />
I am building an SQL Command like.<br />
SqlCommand cmd = new SqlCommand(Delete from Customers where CustomerID = @CustomerID);<br />
<br />
cmd.Parameters.AddWithValu<wbr />e(&quot;@Custom<wbr />erID&quot;, CustomerID);<br />
<br />
How does this acutally prevent SQL Injection?<br />
<br />
If CustomerID was a string and a user entered &quot;BobsCustomerID; drop table Customers&quot; &nbsp;how is this not a risk with a parametized query.
</div>
</div>


As title.
I am building an SQL Command like.
SqlCommand cmd = new SqlCommand(Delete from Customers where CustomerID = @CustomerID);

cmd.Parameters.AddWithValue("@CustomerID", CustomerID);

How does this acutally prevent SQL Injection?

If CustomerID was a string and a user entered "BobsCustomerID; drop table Customers"  how is this not a risk with a parametized query.

c# How does SQL Command Paramatized Query Prevent SQL Injection

C# is an object-oriented programming language created in conjunction with Microsoft’s .NET framework. Compilation is usually done into the Microsoft Intermediate Language (MSIL), which is then JIT-compiled to native code (and cached) during execution in the Common Language Runtime (CLR).

Microsoft SQL Server is a suite of relational database management system (RDBMS) products providing multi-user database access functionality.SQL Server is available in multiple versions, typically identified by release year, and versions are subdivided into editions to distinguish between product functionality. Component services include integration (SSIS), reporting (SSRS), analysis (SSAS), data quality, master data, T-SQL and performance tuning.

Microsoft SQL Server

The successor to Active Server Pages, ASP.NET websites utilize the .NET framework to produce dynamic, data and content-driven web applications and services. ASP.NET code can be written using any .NET supported language. As of 2009, ASP.NET can also apply the Model-View-Controller (MVC) pattern to web applications