Safety from SQL injection

Question

SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings[\"techconn\"].ToString());

            SqlCommand com = new SqlCommand(\"select * from          


        

Answer 1

IF you use direct textbox reference to your sql query then it will never be SQL injection safe any end user can pass Injecting values to your text box and it will be injected.

Never use UI elements directly to your SQL you can try the below line of CODE

SqlConnection conn = new SqlConnection(_connectionString);  
conn.Open();  
string s = "select * from hs where ac between @TextBoxOnevaluevariable and
@TextBoxTwovaluevariable and em=@DropdownSelectedTextVariable";

SqlCommand cmd = new SqlCommand(s);  
cmd.Parameters.Add("@TextBoxOnevaluevariable", Texbox1.Text);  
cmd.Parameters.Add("@TextBoxTwovaluevariable", Texbox2.Text);  
cmd.Parameters.Add("@DropdownSelectedTextVariable",DropDownList1.SelectedItem.Text.ToString());  
SqlDataReader reader = cmd.ExecuteReader();