Skip to content

Bits of .NET

Daily micro-tips for C#, SQL, performance, and scalable backend engineering.

  • Asp.Net Core
  • C#
  • SQL
  • JavaScript
  • CSS
  • About
  • ErcanOPAK.com
  • No Access
  • Privacy Policy
SQL

SQL: Prevent SQL Injection with Parameterized Queries

- 04.07.26 - ErcanOPAK

๐Ÿ”’ Never Concatenate User Input into SQL

SQL injection is #1 web vulnerability. Parameterized queries prevent it. Always use parameters for user input.

โŒ Vulnerable (SQL Injection)

string query = "SELECT * FROM users WHERE email = '" + email + "'";
var cmd = new SqlCommand(query, connection);
// User input: admin' OR '1'='1
// Query becomes: SELECT * FROM users WHERE email = 'admin' OR '1'='1'
// All users returned!

โœ… Parameterized (Safe)

string query = "SELECT * FROM users WHERE email = @email";
var cmd = new SqlCommand(query, connection);
cmd.Parameters.AddWithValue("@email", email);
// Email treated as data, not code
// Safe from injection

๐ŸŽฏ Parameterized Queries Examples

// SQL Server
string query = "INSERT INTO Users (Name, Email) VALUES (@name, @email)";
using var cmd = new SqlCommand(query, connection);
cmd.Parameters.AddWithValue("@name", name);
cmd.Parameters.AddWithValue("@email", email);

// PostgreSQL (Npgsql)
string query = "INSERT INTO Users (Name, Email) VALUES (@name, @email)";
using var cmd = new NpgsqlCommand(query, connection);
cmd.Parameters.AddWithValue("@name", name);
cmd.Parameters.AddWithValue("@email", email);

// MySQL
string query = "INSERT INTO Users (Name, Email) VALUES (@name, @email)";
using var cmd = new MySqlCommand(query, connection);
cmd.Parameters.AddWithValue("@name", name);
cmd.Parameters.AddWithValue("@email", email);

// Entity Framework (safe by default)
var user = await context.Users
    .Where(u => u.Email == email)
    .FirstOrDefaultAsync();

๐Ÿ’ก Best Practices

  • Always use parameterized queries for user input
  • Use ORM (Entity Framework, Dapper) for safety
  • Validate and sanitize input
  • Use stored procedures with parameters
  • Regular security audits

“SQL injection is preventable. Parameterized queries are essential. Never concatenate user input into SQL.”

โ€” Security Engineer

Related posts:

SQL Queries Return Wrong Results After Schema Change

SQL: Use EXISTS Instead of COUNT for Checking Existence

SQL โ€œIndex Fragmentation Panicโ€ โ€” When NOT to Rebuild

Post Views: 2

Post navigation

.NET Core: Serve Static Files (CSS, JS, Images)
C#: Implement IDisposable for Resource Cleanup

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

July 2026
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728293031  
« Jun    

Most Viewed Posts

  • Get the User Name and Domain Name from an Email Address in SQL (960)
  • How to add default value for Entity Framework migrations for DateTime and Bool (898)
  • How to make theater mode the default for Youtube (857)
  • Get the First and Last Word from a String or Sentence in SQL (840)
  • How to select distinct rows in a datatable in C# (814)
  • How to enable, disable and check if Service Broker is enabled on a database in SQL Server (597)
  • Add Constraint to SQL Table to ensure email contains @ (582)
  • Average of all values in a column that are not zero in SQL (545)
  • How to use Map Mode for Vertical Scroll Mode in Visual Studio (512)
  • Find numbers with more than two decimal places in SQL (460)

Recent Posts

  • C#: Use Using Statements for Resource Management
  • C#: Use Lambda Expressions for Concise Code
  • SQL: Use GROUP BY for Data Aggregation
  • .NET Core: Master Routing for Clean URLs
  • Git: Use Reset to Undo Local Changes
  • Ajax: Use Axios for HTTP Requests
  • JavaScript: Understand Hoisting
  • HTML: Use Web Storage for Client-Side Data
  • CSS: Use Filter Effects for Visual Magic
  • Windows 11: Unlock God Mode for All Settings

Most Viewed Posts

  • Get the User Name and Domain Name from an Email Address in SQL (960)
  • How to add default value for Entity Framework migrations for DateTime and Bool (898)
  • How to make theater mode the default for Youtube (857)
  • Get the First and Last Word from a String or Sentence in SQL (840)
  • How to select distinct rows in a datatable in C# (814)

Recent Posts

  • C#: Use Using Statements for Resource Management
  • C#: Use Lambda Expressions for Concise Code
  • SQL: Use GROUP BY for Data Aggregation
  • .NET Core: Master Routing for Clean URLs
  • Git: Use Reset to Undo Local Changes

Social

  • ErcanOPAK.com
  • GoodReads
  • LetterBoxD
  • Linkedin
  • The Blog
  • Twitter
© 2026 Bits of .NET | Built with Xblog Plus free WordPress theme by wpthemespace.com