In both queries 1 and 2, the text from the textbox is inserted into the database. What\'s the significance of the parameterized query here?
Passing tx
sql injection happens when a possible parameter has sql within it and the strings are not handled as it should be
eg:
var sqlquerywithoutcommand = "select * from mytable where rowname = '" + condition+''";
and the condition is a string coming from the user in the request. If condition is malicious say eg:
var sqlquerywithoutcommand = "select * from mytable where rowname = '" + "a' ;drop table mytable where '1=1"+"'";
you could end up running malicious scripts.
but using parameters the input will be cleaned of any characters which might escape string characters...
you can be ensured no matter what comes in it will not be able to run inject scripts.
using the command object with parameters the sql actually executed would look like this
select * from mytable where rowname = 'a'';drop table mytable where 1=1'''
in essense it will be looking for a row with rowname = a';drop table mytable where 1=1' and not running the remaining script