SQL Injection : Parameterization Code Review

In c# code it is possible to call SQL commands using the SqlCommand object like below: string selectString = @”select MyColumn from Mytable where MyOtherColumn = ” + value; SqlCommand cmd = new SqlCommand(); cmd.CommandText = selectString; cmd.Connection = conn; cmd.ExecuteReader(); The¬†code above¬†should be using parameterized statements or stored procedures. A parameterized statement is shown […]